SIP ALG ( Application Layer Gateway) is a feature on many routers that attempts to negate the need for static NAT mapping. Unfortunately, the implementation of SIP ALG's varies from manufacturer to manufacturer, and it generally causes more issues with VoIP (specifically SIP based VoIP) than it helps to alleviate.
The vast majority of the time the SIP ALG will need to be disable and typical port mapping will need to be implemented. A fair amount of devices ship with the SIP ALG enabled by default, and some even prevent the user from being able to disable the ALG or require a-typical access to do so.
SIP ALG Symptoms
The implementation of a SIP ALG has the affect of modifying SIP packet headers and hence affects SIP calls and/or the associated audio.
Common examples of problems associated with a SIP ALG being active include:
- Phone(s) appears to register but fails to function as desired
- Internal calls fail
- Problems receiving incoming calls
- One-way audio on incoming calls
- Dead air/dropped call when a phone call is established
- Transferring calls consistently fails
- Unable to put or retrieve a call on hold or park
Note: Some of the symptoms above can be caused by other configuration and/or technical issues and may not 100% indicative of a SIP ALG issue.
Common SIP ALG Names:
- SIP Inspection
- SIP Pass-Thru
- SIP Fixup (Cisco)
- SIP Transformations (SonicWALL)
- SIP Helper
The ports necessary for SIP and RTP are as follows:
For SIP (Session Initiation Protocol):
- UDP port 5060
For RTP (Real Time Protocol; aka the audio stream):
- UDP port range 10,000 through 20,000
More info on the proper ports to open can be found here
Examples of how to disable a SIP ALG
This section is designed to give you an idea of how to disable the SIP ALG on various brands and/or models of routers. It is not comprehensive and is routinely updated as routers and their software/firmware implementations consistently change and models are added/removed from production. If you have questions about your specific device please contact support.
Netgear devices typically ship with the SIP ALG enabled. To disable you will need to do the following.
- Access the Netgears WWW GUI by browsing to it's LAN IP Address. The default IP is 192.168.0.1
- Login to the device. The default user is 'admin' and the default pass is 'password'
- Select 'Security' → 'Firewall' → 'Advanced'
- To disable the SIP ALG, uncheck the option 'Enable SIP ALG' as shown below:
Newer Netgear Devices/Netgear genie; Nighthawk 8000
To disable the SIP ALG on the Nighthawk 8000 series devices, you will need to
- Login to the WWW GUI for the Router
- Select Advanced → Setup → WAN Setup
- Check the box labeled 'Disable SIP ALG' under the NAT filtering section:
SonicWALL refers to their SIP ALG as 'SIP Transformations', quite a few of the devices have shipped with this feature enabled in the past.
- To disable the SIP ALG you will need to login to the adminstration interface of the SonicWALL device
- Once you have successfully logged into the device, click on the 'VoIP' tab in the left hand navigation menu, followed by 'settings'
- Check 'Enable Consistent NAT'
- Uncheck 'Enable SIP Transformations' and all options directly below it as shown below
- Click on 'Apply' to save the changes
Most SonicWALL devices will also require the UDP session timer to be increased from 30 to at least 60, if not 120 or 180 seconds.
Cisco devices refer to the SIP ALG as 'SIP Fixup' and require access to the command line (CLI) of IOS to disable.
- Access the CLI
- Run an 'enable'
- Run a 'configure terminal'
- Then run a:
- UDP: no ip nat service sip udp port 5060
- TCP: no ip nat service sip tcp port 5060
- Followed by a: 'no inspect sip'
There are a couple of steps to disabling a SIP ALG on a D-Link device.
- Using the web browser of your choice, enter the D-Link routers local IP into the address bar and login when prompted
- Once you have logged in, click on 'Advanced' on the top navigation bar → then click on the 'Firewall Settings' tab
- Uncheck the 'Enable SPI' box as well as set 'NAT Endpoint Filtering' for TCP & UDP to 'Endpoint Independent'
- After that has been set, find the 'Application Level Gateway (ALG)' configuration near the bottom and uncheck the 'SIP' field as shown below.
- Save the settings and reboot the device
Fortinet devices running FortiOS will need the SIP ALG disabled in multiple places. This will be done via the Command Line Interface (CLI)
- Login to the Fortigate device, and access the Fortigate CLI from within the dashboard.
- Input the following commands in FortiGate’s CLI:
- config system settings
- set sip-helper disable
- set sip-nat-trace disable
- reboot the device
- Re-access the CLI and input the following commands:
- config system session-helper
- locate the SIP entry; usually number 12 but it can vary
- delete 12
- If not 12, the number you identified in step b above
- config system session-helper
- run this command again to confirm the rule # from step b/c above is now gone; #12 will be populated because #13 moved up in rank, but no reference to SIP or port 5060 should be noted
- After disabling the SIP ALG, you will need to disable the RTP processing as well:
- config voip profile
- edit default
- config sip
- set rtp disable
Older versions of Asus firmware typically only support disabling the SIP ALG via the command line interface. If you do not see the option to disable the SIP ALG in the GUI, check to see if your router has a firmware update.
To disable the SIP ALG present in most later version of Asus firmware you will need to log into the GUI and browse to 'NAT Passthrough' → and set 'SIP Passthrough' to disabled as shown here:
The RV042 will not work with firmware versions older than version 188.8.131.52 or possibly version 184.108.40.206.
Update to the latest firmware available for this device and it should function properly.
The E1700 series devices (as well as some similar LInksys models) allow disabling of the SIP ALG via the Administration tab → Management → SIP ALG section as shown here:
The DG1670A runs the same firmware as the DG860A with the additional capability of disabling the SIP ALG. Even with the SIP ALG disabled (as shown below), field reports indicate that a UDP session timer issue remains, which will continue to cause issues.
The Actiontec GT784WN & GT784WNV both have a SIP ALG that cannot be disabled from the HTTP administrative interface or from telnet. The issues with these devices are further compounded by the fact that the firewall, when set to the 'NAT only' setting, intermittently blocks keep alive messages from various devices.
Our recommendation to utilize the GT784WN or the GT784WNV is to set it in bridge-mode and implement a SIP compliant router behind it (use it only as a gateway).
Peplink devices support SIP ALG across their entire product family and it is enabled by default.