5G-S-TMSI missing in ServiceRequest

[yoursunny]

When testing UE Initiated Service Request procedure with free5GC, the free5GC AMF replies with Error Indication and logs this error:

2024-01-24T15:55:40.276314287Z [INFO][AMF][Ngap][ran_addr:172.25.199.1:9487] Handle InitialUEMessage
2024-01-24T15:55:40.276361206Z [INFO][AMF][Ngap][amf_ue_ngap_id:RU:2701131778,AU:2(3GPP)][ran_addr:172.25.199.1:9487] New RanUe [RanUeNgapID:2701131778][AmfUeNgapID:2]
2024-01-24T15:55:40.276384089Z [WARN][AMF][Ngap][amf_ue_ngap_id:RU:2701131778,AU:2(3GPP)][ran_addr:172.25.199.1:9487] Missing 5G-S-TMSI IE in InitialUEMessage; send ErrorIndication
2024-01-24T15:55:40.276396723Z [INFO][AMF][Ngap][ran_addr:172.25.199.1:9487] Send Error Indication
2024-01-24T15:55:40.276926735Z [INFO][AMF][Ngap][amf_ue_ngap_id:RU:2701131778,AU:2(3GPP)][ran_addr:172.25.199.1:9487] Send UE Context Release Command

Test log with packet traces: free5gc.zip

According to ETSI TS 123.502 V16.7.0 section 4.2.3.2:

In the case of NG-RAN: The AN parameters include 5G-S-TMSI, Selected PLMN ID, Establishment cause and may also include NSSAI information

The message generated by gNBSim (frame 41 in the packet sample) is:

initiatingMessage
    procedureCode: id-InitialUEMessage (15)
    criticality: ignore (1)
    value
        InitialUEMessage
            protocolIEs: 5 items
                Item 0: id-RAN-UE-NGAP-ID
                Item 1: id-NAS-PDU
                Item 2: id-UserLocationInformation
                Item 3: id-RRCEstablishmentCause
                Item 4: id-UEContextRequest

As a comparison, the message generated by Open5GCore RAN simulator for this procedure has an id-FiveG-S-TMSI IE:

InitialUEMessage
    protocolIEs: 6 items
        Item 0: id-RAN-UE-NGAP-ID
        Item 1: id-NAS-PDU
        Item 2: id-UserLocationInformation
        Item 3: id-RRCEstablishmentCause
        Item 4: id-FiveG-S-TMSI
            ProtocolIE-Field
                id: id-FiveG-S-TMSI (26)
                criticality: reject (0)
                value
                    FiveG-S-TMSI
                        aMFSetID: 0040 [bit length 10, 6 LSB pad bits, 0000 0000  01.. .... decimal value 1]
                        aMFPointer: 00 [bit length 6, 2 LSB pad bits, 0000 00.. decimal value 0]
                        fiveG-TMSI: 2130706433 (0x7f000001)
        Item 5: id-UEContextRequest

[thakurajayL]

Hi @yoursunny . Would be great if you can provide spec reference if possible. That would help me & community in general. Thank you.

I shall look at this later today or this weekend.

[gab-arrobo]

Hi @yoursunny . Would be great if you can provide spec reference if possible. That would help me & community in general. Thank you.

@thakurajayL, the spec is TS 23.502

[linouxis9]

@thakurajayL if it can help you https://github.com/HewlettPackard/PacketRusher/pull/58 I've shared a pcap there as well ;-)

[thakurajayL]

@yoursunny - Could you please try this branch - https://github.com/thakurajayL/gnbsim-1/tree/dev-service-tmsi Let me know how it goes. though I know some more changes may be required to be done.

[yoursunny]

I tested https://github.com/thakurajayL/gnbsim-1/archive/dc3c0cdbf92ff0263657dc726289f1597b091560.zip uetriggservicereq profile with free5GC. Packet capture: gnbsim-dc3c0cdb.pcapng.zip The required 5G-S-TMSI field is now present in the packet, but AMF responds with "Service reject (Implicitly deregistered)".

AMF logs:

2024-02-01T15:24:19.770853775Z [INFO][AMF][Ngap][ran_addr:172.25.199.18:9487] Handle UEContextReleaseRequest
2024-02-01T15:24:19.770882460Z [INFO][AMF][Ngap][amf_ue_ngap_id:RU:2164260864,AU:1(3GPP)][ran_addr:172.25.199.18:9487] Handle UEContextReleaseRequest (RAN UE NGAP ID: 2164260864)
2024-02-01T15:24:19.770911434Z [WARN][AMF][Ngap][ran_addr:172.25.199.18:9487] Cause RadioNetwork[20]
2024-02-01T15:24:19.770918798Z [INFO][AMF][Ngap][amf_ue_ngap_id:RU:2164260864,AU:1(3GPP)][ran_addr:172.25.199.18:9487] Ue Context in GMM-Registered
2024-02-01T15:24:19.773608350Z [INFO][AMF][Ngap][amf_ue_ngap_id:RU:2164260864,AU:1(3GPP)][ran_addr:172.25.199.18:9487] Send UE Context Release Command
2024-02-01T15:24:19.775106710Z [INFO][AMF][Ngap][ran_addr:172.25.199.18:9487] Handle UEContextReleaseComplete
2024-02-01T15:24:19.775123363Z [INFO][AMF][Ngap][amf_ue_ngap_id:RU:2164260864,AU:1(3GPP)][ran_addr:172.25.199.18:9487] Handle UEContextReleaseComplete (RAN UE NGAP ID: 2164260864)
2024-02-01T15:24:19.775146446Z [INFO][AMF][Ngap][amf_ue_ngap_id:RU:2164260864,AU:1(3GPP)][ran_addr:172.25.199.18:9487] Release Ue Context in GMM-Registered
2024-02-01T15:24:19.778227016Z [INFO][AMF][Ngap][ran_addr:172.25.199.18:9487] Release UE[imsi-001017005551000] Context : N2 Connection Release
2024-02-01T15:24:19.979652865Z [INFO][AMF][Ngap][ran_addr:172.25.199.18:9487] Handle InitialUEMessage
2024-02-01T15:24:19.979738737Z [INFO][AMF][Ngap][amf_ue_ngap_id:RU:2164260865,AU:2(3GPP)][ran_addr:172.25.199.18:9487] New RanUe [RanUeNgapID:2164260865][AmfUeNgapID:2]
2024-02-01T15:24:19.979789273Z [INFO][AMF][Ngap][amf_ue_ngap_id:RU:2164260865,AU:2(3GPP)][ran_addr:172.25.199.18:9487] Find 5G-S-TMSI ["010000000001"] in InitialUEMessage
2024-02-01T15:24:19.979817456Z [INFO][AMF][Ngap][amf_ue_ngap_id:RU:2164260865,AU:2(3GPP)][ran_addr:172.25.199.18:9487] Send Service Reject
2024-02-01T15:24:19.979834098Z [INFO][AMF][Ngap][amf_ue_ngap_id:RU:2164260865,AU:2(3GPP)][ran_addr:172.25.199.18:9487] Send Downlink Nas Transport
2024-02-01T15:24:19.980232851Z [WARN][AMF][Ngap][amf_ue_ngap_id:RU:2164260865,AU:2(3GPP)][ran_addr:172.25.199.18:9487] AmfUe is nil
2024-02-01T15:24:19.980406469Z [WARN][AMF][Ngap][amf_ue_ngap_id:RU:2164260865,AU:2(3GPP)][ran_addr:172.25.199.18:9487] Send ServiceReject [Cause5GMMImplicitlyDeregistered]
2024-02-01T15:24:19.980420296Z [INFO][AMF][Ngap][amf_ue_ngap_id:RU:2164260865,AU:2(3GPP)][ran_addr:172.25.199.18:9487] Send UE Context Release Command
2024-02-01T15:24:19.980690215Z [WARN][AMF][Ngap][amf_ue_ngap_id:RU:2164260865,AU:2(3GPP)][ran_addr:172.25.199.18:9487] AmfUe is nil

Maybe free5GC doesn't support ServiceRequest? In any case, I do not consider that a bug in gNBSim.

[yoursunny]

Oh I shouldn't close this issue so fast as the commit is still in a fork.

[gab-arrobo]

@yoursunny can you please confirm PR #150 address this issue? It is essentially what @thakurajayL proposed in https://github.com/thakurajayL/gnbsim-1/tree/dev-service-tmsi

[yoursunny]

can you please confirm PR #150 address this issue?

I tested https://github.com/gab-arrobo/gnbsim/archive/c79b5c84422516771eed3469388260c7a4762501.zip uetriggservicereq profile with free5GC. Packet capture: gnbsim-150-c79b5c84.zip There's no 5G-S-TMSI field in sight.

NG Application Protocol (InitialUEMessage)
    NGAP-PDU: initiatingMessage (0)
        initiatingMessage
            procedureCode: id-InitialUEMessage (15)
            criticality: ignore (1)
            value
                InitialUEMessage
                    protocolIEs: 5 items
                        Item 0: id-RAN-UE-NGAP-ID
                        Item 1: id-NAS-PDU
                        Item 2: id-UserLocationInformation
                        Item 3: id-RRCEstablishmentCause
                        Item 4: id-UEContextRequest

To ensure my testing procedure is correct, I changed back to the tarball used last time and the field appears. The two patches look exactly the same, so that I can't understand what changed.

[yoursunny]

Upon further inspection, I found the difference:

• In the @thakurajayL patch (working), m.Tmsi is assigned in HandleServiceRequestEvent function.
• In the @gab-arrobo patch (not working), m.Tmsi is assigned in HandleRegCompleteEvent function.

They look the same but they are different.

[yoursunny]

I re-tested https://github.com/gab-arrobo/gnbsim/archive/0099371e2512d49185b5ce1325d350a2e34b9ee0.zip and it's compatible with free5GC AMF.