What is SIP ALG and Why You Need to Disable It

You've successfully set up your VoIP phone system, but you're encountering issues such as dropped calls, absence of incoming calls, or persistent ringing even after answering the call and no voice. The solution to these Voice over IP problems could be as simple as disabling SIP ALG.

In this comprehensive guide, we'll delve into why it's crucial to turn off SIP ALG and provide practical tips to optimize your network for VoIP phone service. This guide is designed to be user-friendly for beginners while still offering valuable insights for advanced users. Let's dive in!

What is SIP ALG?

SIP ALG stands for Session Initiation Protocol Application Layer Gateway. This technology, which is also called an application-level gateway, is available on most commercial routers, and it helps users more reliably initiate SIP calls, even when behind a LAN with a secure firewall configuration. The ALG is a network address translation (NAT) tool that changes private IP addresses and ports into public IP addresses and ports.

The SIP ALG acts as an independent firmware program to prevent firewall-related issues on the router. It inspects the SDP portion of data packets and modifies them so that they send correctly. Remember, all VoIP changes audio data (voice) into packets that are then sent over the net, so theoretically, this should ensure call quality.

Unfortunately, the technology often ends up hindering the quality of SIP calls due to the multi-process nature of SIP and the delicateness of data packets. This is why many VoIP service providers tell you to disable the feature on your router.

The problem with SIP ALG is the packet rewriting aspect of it. SIP ALG can be useful to mitigate multiple NATs, but it doesn’t help the vast majority. Let’s take a more in-depth look at what’s happening with these data packets.

The diagram above shows that the Application Layer Gateway changes the destination public IPs in SIP packets. Certain commercial routers are smart enough to inspect the SIP messages themselves to leave private IP addresses alone.

Today’s Unified Communication PBX systems, conference calls, and even audio/video conferencing rely on SIP. Signaling protocols like SDP, RTP, and RTSP all face the same issues because they are a subset of SIP packets.

Signs SIP ALG Affects VoIP Calls

There are a few categories of symptoms SIP ALG could affect VoIP calls. It’s not always apparent, especially since these issues often happen silently without users knowing.

  • One-way audio: Only one party can hear the other during a call.

  • Unresponsive phones: Phones do not ring when they are called.

  • Dropped calls: Calls get disconnected after being connected.

  • Unexplained voicemail: Calls go straight to voicemail without any apparent reason.

  • Degraded call quality: You may start to experience static, lapses in sound transmission, or echoing. This is due to the modification of the call data during transmission or receipt.

  • Lost calls: With this router service, it’s easy to lose the call altogether. When data is lost and is unrecoverable, disconnection is likely.

  • Failed registration: If any acknowledgments fail during a call, the call will fail to connect. This is often a direct result of a SIP ALG operating in the background.

What’s occurring is that some VoIP traffic is getting lost in transit between the phone and the VoIP service provider. This disruption is due to router firewalls. This traffic is crucial for maintaining the phone’s availability and for selecting the appropriate audio codecs.

Why Disable SIP ALG?

Conventional wisdom would suggest that an Application-Level Gateway is supposed to be enabled. After all, many consumer and commercial router settings even default SIP ALG to on.

SIP ALG, a feature in most broadband routers, was introduced with good intentions to address the limitations of Network Address Translation (NAT). However, it unfortunately interferes with the built-in functionality of IP and signaling protocols, rendering it unnecessary for today’s VoIP applications.

ALGs operate at the Application Layer of the OSI Model, and thus, do not consider the datagrams within transport protocols like UDP or TCP. VoIP signaling protocols address these common issues by including both public and private IP addresses in every packet.

Some routers attempt to enhance security by terminating open connections in the firewall, a process known as creating a "firewall pinhole". This allows traffic to function momentarily, but when a SIP proxy drops packets, it can disrupt VoIP calls after they have been established.

How to Disable SIP ALG on Your Router

Many routers have SIP ALG enabled by default within their device’s firmware. Thanks to user-friendly web interfaces, you can easily enable or disable this setting by checking or unchecking a box. An example is provided below:

Accessing your router’s interface is almost always very easy. Each router has the IP address of the router’s interface printed on a decal that also includes the default login information so that you change settings through a browser.

By default, many manufacturers set the login information as “admin” for the user and “password” for the pass – though some may not need a password. For commercial routers, you’ll want to change this login information to something more secure.

Unfortunately, not all router brands provide an easy method to disable certain features. Let’s guide you through some common methods used by the world’s leading router manufacturers. It’s worth noting that Cisco’s process is a bit more complex as it requires access to the command line to modify router settings.

Router Manufacturer

Steps to Disable SIP ALG

Actiontec

  1. Select Advanced, click Yes to accept the warning, then click ALG’s.

  2. Ensure SIP ALG is disabled by removing the check.

  3. Click Apply.

  4. Select Advanced, click Yes to accept the warning, then click Remote Administration.

  5. Click the checkbox to Allow Incoming WAN ICMP Echo Requests (for traceroute and ping), then click Apply.

Adtran

  1. Under Firewall, go to Firewall / ACLs.

  2. Click on ALG Settings.

  3. Uncheck the box labeled SIP ALG

  4. Click Apply.

If you are using the terminal, issue the following command: no ip firewall alg sip

Arris

Most Arris broadband gateways:

  1. Navigate to the gateway’s IP (192.168.0.1). Username: admin Password: motorola

  2. Navigate to Advanced, then Options.

  3. Uncheck the SIP box.

  4. Click Apply.

Arris BGW210

  1. Navigate to 192.168.1.254. Authenticate without a username, and use the password located on the unit’s sticker.

  2. Under the Firewall section, click on Advanced Firewall.

  3. Change the Set SIP ALG setting to off.

  4. Turn off the Authentication Header Forwarding.

  5. Turn off ESP Header Forwarding.

  6. Click Save.

Asus

  1. Under the Advanced Settings section, click WAN.

  2. Click the NAT Passthrough tab.

  3. Change the SIP Passthrough setting to “Disable.”

  4. Click Apply.

AT&T

U-Verse Pace 5268AC Gateway This broadband gateway does not support disabling SIP ALG. We recommend configuring your gateway to function only as a modem, not a router (Bridge Mode). You will need to use another router that supports disabling SIP ALG.

Cisco

Cisco General and Enterprise-Class routers: no ip nat service sip tcp port 5060 no ip nat service sip udp port 5060

Cisco PIX routers: no fixup protocol sip 5060 no fixup protocol sip udp 5060

Cisco ASA routers: Locate ‘Class inspection_default’ under ‘Policy-map global_policy’. Execute this command: no inspect sip

D-Link

  1. Click on Advanced Settings.

  2. Locate the Application Level Gateway (ALG) Configuration.

  3. Uncheck the SIP option.

  4. Click Save.

DIR-655:

  1. Click Advanced, located along the top.

  2. Click Firewall Settings on the left side of the screen.

  3. Uncheck Enable SPI

  4. Set both UDP and TCP Endpoint Filtering to Endpoint Independent.

  5. Uncheck SIP from Application Level Gateway Configuration.

  6. Click Save.

Fortinet

  1. Use the following commands from the CLI interface: config system session-helper show system session-helper

  2. Find the SIP session instance, typically indicated by #12

  3. Delete #12 or the appropriate number

  4. Confirm its deletion by executing this command: show system session-helper. For more guidance, follow this article.

Linksys

Linksys Smart Wi-Fi (E-series):

  1. On the left side of the screen, click on Connectivity.

  2. Click the Administration tab.

  3. Under Application Layer Gateway, verify SIP is unchecked.

  4. Click Apply or Save.

Older Linksys models:

  1. Go to the ‘Advanced’ section on the Admin page

  2. Disable the SIP ALG feature.

Linksys BEFSR41 routers:

  1. Click on Applications and Gaming on the Admin page.

  2. Click on Port Triggering.

  3. Type in ‘TCP’ as the application.

  4. Type in ‘5060’ into the Start Port and End Port for the ‘Triggering Range’ and ‘Forwarded Range’ fields.

  5. Check ‘Enable’.

  6. Click on Save and Reboot.

Mikrotik

For Mikrotik routers, SIP ALG is known as SIP Helper.

  1. Use the company’s winbox software.

  2. Navigate to IP, then Firewall.

  3. Click on the Service Ports tab and disable it through the GUI.

  4. You may also run this command from the terminal: /ip firewall service-port disable sip

Netgear

For Netgear routers with the Genie interface:

  1. Select the Advanced tab at the top.

  2. Expand the Setup menu on the left side of the screen.

  3. Click WAN Setup.

  4. Check the box labeled Disable SIP ALG.

Other Netgear routers:

  1. Under the Security/Firewall, click on Advanced Settings.

  2. Disable SIP ALG.

  3. Locate Session Limit under Security/Firewall.

  4. Increase the UDP timeout to 300 sec.

SonicWall

  1. Under System Setup on the left side of the screen, click on VoIP.

  2. Check ‘Enable Consistent NAT’

  3. Uncheck ‘Enable SIP Transformations’.

  4. Click Accept.

  5. To increase UDP timeouts, navigate to the Firewall Settings, then Flood Protection.

  6. Click on the UDP tab and modify the default UDP connection timeout to 300 seconds.

  7. Click the Accept button to save the changes. For more information, consult this support article.

TP-Link

Newer TP-Link routers (Archer series):

  1. Click on the Advanced Tab.

  2. Expand the NAT Forwarding menu on the left side of the screen.

  3. Uncheck SIP ALG, RTSP ALG, and H323 ALG checkboxes.

  4. Click Save.

Older TP-Link routers:

  1. Use the Telnet client from the Command Prompt.

  2. Apply the following command: ip nat service sip sw off

UBEE

  1. Go to Advanced, then Options.

  2. Uncheck the SIP and the RTSP checkboxes.

  3. Click Apply.

Ubiquiti

UniFi Security Gateway

  1. Sign in to your UniFi security gateway.

  2. Click on Routing & Firewall along the left side.

  3. Click the Firewall tab at the top and click Settings from the sub-menu.

  4. Toggle H.323 and SIP to off.

  5. Click the Apply Changes button.

EdgeRouters (ER-x)

  1. Access the router’s administrative interface, typically at 192.168.1.1.

  2. Use the Config Tree or a command-line interface to disable SIP ALG.

Config Tree:

  1. Select config tree in the top right-hand corner.

  2. Expand system, conntrack, modules, and sip.

  3. Click the plus sign next to disable.

  4. Click the Preview option.

  5. Click Apply.

Command Line Interface:

  1. From the administrative interface, choose CLI located at the top right corner of the screen.

  2. From here, we can also increase UDP timeouts as well.

  3. Enter these commands into the terminal: configure set system conntrack modules sip disable set system conntrack timeout udp stream 300 set system conntrack timeout udp other 300 commit save exit

Verizon FiOS

G1100

This broadband gateway does not support disabling SIP ALG. We recommend configuring your gateway to function only as a modem, not a router. You will need to use another router that supports disabling SIP ALG.

ZyXEL

ZyXEL ZyWALL/USG60:

  1. Click on Configuration and expand the Network settings.

  2. Click ALG along the left side.

  3. Uncheck all the checkboxes on the right side:

    1. Uncheck Enable SIP ALG.

    2. Uncheck Enable SIP Transformations.

  4. Click Apply.

ZyXEL C1000Z/C1100Z (CenturyLink):

  1. Click on Advanced Setup.

  2. Click on SIP ALG along the left side.

  3. Toggle the SIP ALG setting to Disable.

  4. Click Apply.

ZyXEL P600:

  1. Telnet to the router (192.168.1.1) and enter the password.

  2. The default password is 1234. Type “24” and press enter.

  3. Then “8” and press enter.

  4. Provide this command: ip nat service sip active 0

  5. When done, press Enter.

Last updated