Message Fact Sheet

Protocol	nas	Network	5g
Spec	3GPP TS 24.501	Spec Section	8.2.21
Direction	UE to AMF	Message Type	5GMM signaling

Full message name	5G NAS - Security Mode Complete
Protocol	NAS
Technology	5G
Direction	UE to AMF
Interface	N1
Signaling bearer / channel	NAS signaling / Dedicated NAS message, commonly transported via UL Information Transfer
Typical trigger	Sent immediately after the UE successfully processes Security Mode Command and activates the selected NAS security algorithms.
Main purpose	Confirms successful activation of the NAS security configuration chosen by the AMF so the registration or service procedure can continue securely.
Main specification	3GPP TS 24.501, 8.2.21
Release added	Release 15
Procedures where used	5G Initial Registration, Mobility Registration Update, Service handling with security context establishment
Related timers	T3560
Related cause values	IMEISV availability when requested

What is Security Mode Complete in simple terms?

Security Mode Complete is the NAS message the UE sends to confirm that it accepted the selected NAS security algorithms and has switched into the commanded protected signaling state.

Confirms successful activation of the NAS security configuration chosen by the AMF so the registration or service procedure can continue securely.

Why this message matters

Security Mode Complete is the UE confirming that it accepted the NAS security settings chosen by the network.

Where this message appears in the call flow

5G Initial Registration

Call flow position: UE confirmation step after Security Mode Command and before Registration Accept.

Typical state: NAS security is active and the procedure is ready to move into final registration acceptance.

Preconditions:

The UE has received and accepted Security Mode Command.
The selected NAS algorithms and ngKSI context are usable.

Next likely message: Registration Accept

Mobility Registration Update

Call flow position: UE security confirmation point before the update procedure continues with later mobility-management handling.

Typical state: NAS signaling is now protected according to the selected security context.

Preconditions:

The AMF has commanded NAS security activation.

Next likely message: Configuration Update Command or later procedure-specific NAS handling

Call flow position

Previous message(s): Security Mode Command, Authentication Response, Authentication Result

Next message(s): Registration Accept, Configuration Update Command, Service Accept

Message direction and transport

Sender and receiver: UE to AMF

Interface: N1

Domain: Core-side mobility management signaling with radio-side NAS transport

Signaling bearer: NAS signaling

Logical channel: Dedicated NAS message, commonly transported via UL Information Transfer

Transport / encapsulation: NAS 5GS message carried end-to-end between UE and AMF

Security context: This message confirms that the UE has accepted the selected NAS security context and is now operating with that protected state.

Message Structure Overview

Security Mode Complete is the UE-side confirmation that the commanded NAS security context is now active.
In practice, engineers read it as the handoff point from security activation into the next protected NAS procedure step.

Structure Syntax

This message is not typically analyzed as ASN.1 on the wire. Engineers usually inspect it as a NAS or protocol field decode rather than an ASN.1 tree.

Security Mode Complete follows NAS 24.501 IE structure and is not an ASN.1 message.

Decoded Message Dump

Security Mode Complete
  Extended Protocol Discriminator: 5G Mobility Management
  Security Header Type: Integrity protected and ciphered with new 5G NAS security context
  Message Type: Security Mode Complete
  IMEISV: not present

How to read this dump

The message is usually compact because its real meaning is procedural: the UE accepted NAS security and continued.
If IMEISV is present, check that it matches the request sent in Security Mode Command.

Important Information Elements

IE	Required	Description
`IMEISV`	Optional	Returned when the network requested IMEISV as part of the NAS security procedure.

Detailed field explanation

`IMEISV`

Returned when the network requested IMEISV as part of the NAS security procedure.

Presence: Optional

What to check in logs and traces

Confirm the message appears immediately after Security Mode Command.
Verify that the message uses the expected protected NAS security header treatment.
Check whether IMEISV is present when the command requested it.
Correlate the message with the next protected NAS step such as Registration Accept.

Common Issues and Troubleshooting

Security Mode Command is sent but Security Mode Complete never arrives.

Likely cause: The UE may have failed to activate the requested security context or the uplink protected NAS message was not delivered.

What to inspect: Check UE handling of the selected algorithms, lower-layer delivery, and whether Security Mode Reject appears instead.

Next step: Correlate with RRC transport, NAS protection state, and any immediate registration abort.

Security Mode Complete arrives but later registration still fails.

Likely cause: NAS security activation succeeded, so the root cause is likely in later registration contents, policy handling, or core-side acceptance logic.

What to inspect: Move analysis to Registration Accept, Registration Reject, or Configuration Update handling rather than staying on the security step.

Next step: Use this message as the boundary marker that proves NAS security activation was not the main failure point.

Detailed explanation

5G NAS - Security Mode Complete Explained

Security Mode Complete is the NAS message the UE sends after successfully processing Security Mode Command. It confirms that the UE accepted the selected NAS security algorithms and is now ready to continue the procedure with protected NAS signaling.

For beginners, the simple meaning is: the UE is telling the network that NAS security is now active.
For engineers, this message is the clean checkpoint that proves the NAS security step completed successfully and the trace can move on to the next protected stage.

What is Security Mode Complete in simple terms?

The network told the UE which NAS security settings to use. The UE accepted those settings and sends Security Mode Complete back to confirm that the change worked.

Why Security Mode Complete matters

This message matters because it closes the NAS security activation step. If it is missing, the procedure usually stalls at security activation. If it is present, engineers know the UE accepted the commanded security context and later failures should be searched elsewhere.

It therefore acts as an important boundary marker in registration analysis.

Where Security Mode Complete appears in the call flow

UE                              gNB / AMF
|<-- Authentication Request -----|
|--- Authentication Response ---->|
|<-- Security Mode Command ------|
|--- Security Mode Complete ----->|
|<-- Registration Accept --------|

It usually appears during initial registration, but it can also be part of other 5GMM flows that require NAS security establishment or refresh.

Transport characteristics

Direction: UE to AMF
Interface: N1
Transport on access side: commonly via UL Information Transfer
Security expectation: this message normally uses the newly activated protected NAS state, which makes the security header especially important in trace reading

What Security Mode Complete means operationally

Operationally, Security Mode Complete tells engineers that the UE accepted the selected NAS ciphering and integrity context and is now ready for the next protected procedure step.

The main practical checks are:

did it appear immediately after Security Mode Command
is it protected as expected
does the procedure continue into Registration Accept or later handling without interruption

Important Information Elements

IE	Why it matters
`IMEISV`	Present only when the network requested it as part of the security procedure; useful for checking that the UE returned the expected identity detail.

Example message dump

Security Mode Complete
  Extended Protocol Discriminator: 5G Mobility Management
  Security Header Type: Integrity protected and ciphered with new 5G NAS security context
  Message Type: Security Mode Complete
  IMEISV: not present

How to read this dump

First check that it directly follows Security Mode Command.
Then inspect the security header treatment, because the message usually proves that the new NAS security context is active.
If IMEISV is present, confirm that it matches the earlier request from the network.

What to check in logs

verify that Security Mode Complete follows Security Mode Command without an unexpected gap
confirm the message is protected with the expected new NAS security context
check whether IMEISV is present when the network requested it
correlate the message with the next NAS message, especially Registration Accept

FAQ

What does Security Mode Complete do in 5G NAS?

It tells the network that the UE accepted the selected NAS security configuration and is ready to continue with protected signaling.

What usually comes after Security Mode Complete?

The next step is often Registration Accept, though other protected NAS messages can follow depending on the procedure.

Does Security Mode Complete mean registration is finished?

No. It means NAS security activation succeeded. Registration still needs the remaining procedure steps to complete.

Summary

Security Mode Complete is the NAS message the UE sends to confirm that it accepted the selected NAS security algorithms and has switched into the commanded protected signaling state.

Advanced Engineer Notes

This message is operationally important because it closes the NAS security activation step and proves the UE accepted the selected protected context.
If it is present and clean, engineers should usually move their root-cause analysis forward rather than backward.

Related message pages

Related Procedures

Related Tools

Use This Reference in Practice

Decode this message with the 3GPP Decoder, inspect the related message database, or open the matching call flow to see where this signaling step fits in the full procedure.