What is SIP ALG?
SIP ALG stands for Application Layer Gateway and is common in all many commercial routers. Its purpose is to prevent some of the problems caused by router firewalls by inspecting VoIP traffic (packets) and if necessary modifying it.
Many routers have SIP ALG turned on by default.
There are various solutions for SIP clients behind NAT, some of them in the client side (STUN, TURN, ICE), others are in the server side (Proxy RTP as RtpProxy, MediaProxy).
Generally speaking, ALG works typically in the client side LAN router or gateway. In some scenarios, some client-side solutions are not valid, for example, STUN with symmetrical NAT router. If the SIP proxy doesn't provide a server-side NAT solution, then an ALG solution could have a place.
An ALG understands the protocol used by the specific applications that it supports (in this case SIP) and does a protocol packet-inspection of traffic through it. A NAT router with a built-in SIP ALG can re-write information within the SIP messages (SIP headers and SDP body) making signalling and audio traffic between the client behind NAT and the SIP endpoint possible.
How can it affect VoIP?
Even though SIP ALG is intended to assist users who have phones on private IP addresses (Class C 192.168.X.X), in many cases it is implemented poorly and actually causes more problems than it solves. SIP ALG modifies SIP packets in unexpected ways, corrupting them and making them unreadable. This can give you unexpected behaviour, such as phones not registering and incoming calls failing.
Therefore if you are experiencing problems we recommend that you check your router settings and turn SIP ALG off if it is enabled.
- Lack of incoming calls: When a UA is switched on it sends a REGISTER request to the proxy in order to be localisable and receive any incoming calls. This REGISTER is modified by the ALG feature (if not the user wouldn't be reachable by the proxy since it indicated a private IP in REGISTER "Contact" header). Common routers just maintain the UDP "connection" open for a while (30-60 seconds) so after that time the port forwarding is ended and incoming packets are discarded by the router. Many SIP proxies maintain the UDP keepalive by sending OPTIONS or NOTIFY messages to the UA, but they just do it when the UA has been detected as NAT'd during the registration. A SIP ALG router rewrites the REGISTER request to the proxy doesn't detect the NAT and doesn't maintain the keepalive (so incoming calls will be not possible).
- Breaking SIP signalling: Many of the actual common routers with inbuilt SIP ALG modify SIP headers and the SDP body incorrectly, breaking SIP and making communication just impossible. Some of them do a whole replacing by searching a private address in all SIP headers and body and replacing them with the router public mapped address (for example, replacing the private address if it appears in "Call-ID" header, which makes no sense at all). Many SIP ALG routers corrupt the SIP message when writing into it (i.e. missed semi-colon ";" in header parameters). Writing incorrect port values greater than 65536 is also common in many of these routers.
- Disallows server-side solutions: Even if you don't need a client-side NAT solution (your SIP proxy gives you a server NAT solution), if your router has SIP ALG enabled that breaks SIP signalling, it will make communication with your proxy impossible.
I have disabled SIP ALG but I'm still experiencing problems...
If you are still having problems after disabling SIP ALG, please check your firewall configuration.
I can't disable SIP-ALG? How to Circumnavigate any networking vendors broken implementation of SIP ALG
- Enable TLS on SIP Endpoints, VoiceHost supports TLS which masks SIP signalling from the prying eyes of ALG functionality.
- Enable IPv6 on SIP Endpoints. Practically this is not a realistic option for users requiring mobility but for static locations, this does remove the requirement (Must be supported by your ISP). Most Internet providers do not fully support pure IPv6
- Change you Router Obviously a last resort if all else fails.
Most home/residential routers have a web interface. Typically this is 192.168.1.1 but you just check your default gateway by typing ipconfig in Windows command prompt or ifconfig on Linux systems from any connected device on the same LAN. If your router does not have a web interface you will most likely need a Telnet client to login. If you don't have a telnet client installed we recommend Smartty (smartty.sysprogs.com) Connect in telnet to the IPv4 address of your gateway and hit enter again. | |
Asus Routers | Disable the option SIP Passthrough under Advanced Settings / WAN -> NAT Passthrough. nvram get nf_sip nvram set nf_sip=0 |
AVM Fritz!Box | SIP ALG cannot be disabled. (See above on how to get around this) |
Barracuda Firewalls | Go to Firewall > Firewall Rules > Custom FirewallAccess Rules Click the "Disabled" check box next to any rules named LAN-2-INTERNET-SIP and INTERNET-2-LAN-SIP This disables SIP ALG. |
Billion | Navigate to the web interface -> Select Configuration -> Select NAT -> Select ALG -> Disable SIP ALG |
BT (Homehubs) | SIP ALG cannot be disabled in the settings of BT HomeHubs but can be disabled with BT Business Hub versions 3 and higher. |
Cisco RV Range | -> Go to System Summary and ensure that the firmware is up to date (1.1.1.06 or later). -> f needed, update firmware by going to System Management > Firmware Upgrade. -> Go to Firewall > General. -> Ensure that Firewall and Remote Management are enabled (checked). -> Ensure that the following are disabled (unchecked): -> SPI (Stateful Packet Inspection) -> DoS (Denial of Service) -> Block WAN Request -> SIP ALG -> Click Save. -> Browse to IPADDRESS/f_general_hidden.htm. -> Set UDP Timeout to 300 seconds. -> Go to Firewall > Access Rules. -> Whitelist VoiceHost IP ranges Save all changes. |
D-Link | In 'Advanced' settings --> 'Application Level Gateway (ALG) Configuration' un-tick the 'SIP' option. |
DD-WRT | No ALG function available - Consider using a public STUN server |
DrayTek | DrayTek Vigor 2760 devices, the option can be found in the regular interface at Network -> NAT -> ALG. If your device does not have a web interface then you'll need a telnet client. Afterwards, type in these commands:
On Draytek Vigor2750 and Vigor2130 please use these commands instead:
|
EE | Huawei E5330 Navigate to the web interface |
Fortinet | Fortigate: Disabling the SIP ALG in a VoIP profile
|
Huawei | The SIP ALG setting is usually found in the Security menu.
|
Juniper | Type the following into the CLI
|
Linksys: | Check for a SIP ALG option in the Administration tab under 'Advanced'. You should also disable the SPI Firewall option. |
Mikrotik | Disable SIP Helper. |
Netgear | Look for a 'SIP ALG' checkbox in 'WAN' settings. Under 'NAT Filtering' uncheck the option 'SIP ALG' |
openwrt | No ALG feature - Consider using a public STUN server |
PfSense | https://www.voicehost.co.uk/help/pfsense-voip-configuration |
SonicWALL Firewall | Under the VoIP tab, the option 'Enable Consistent NAT' should be enabled and 'Enable SIP Transformations' unchecked. Detailed instructions can be found here: https://www.voicehost.co.uk/help/sonicwall-configuration |
Speedtouch | To disable SIP ALG you need to telnet into your Speedtouch router and type the following: -> connection unbind application=SIP port=5060 |
TalkTalk | 2017/18 See Huawei (HG633)
|
Technicolor / ThompsonTG588 TG589 TG582 DWA0120 | Open Command Prompt – “Start” → “Run” → type “cmd” and press “Enter”. In Command Prompt, type “telnet 192.168.1.254” and press enter. 192.168.1.254 is the default IP address of the router. If you are running on Windows 7/8/8.1/10, you might need to install the telnet client from “Control Panel” → “Programs and Features” → “Turn Windows features on and off”. The default username is “Administrator”, and there is no default password, leave blank. Type “connection unbind application=SIP port=5060” and press “Enter”. Type “ saveall ” and press “Enter”. Type “exit” and press “Enter” to exit the telnet session. |
Tomato | Depending on the version of Tomato, SIP ALG can be found under Advanced then Conntrack/Netfilter in the Tracking/NAT Helpers section. If you find SIP checked then SIP ALG is enabled. Uncheck it to disable it. |
TP-Link | Navigate to your routers web interface. The default username is admin and the default password is admin. On the left, click on Advanced Setup and then click on NAT and then click on ALG. Uncheck the box by SIP Enabled. (Some TP firmware shows this as SIP Transformations which is the same thing). Click Save/Apply. |
UBEE Gateways | Go to Advanced > Options. Disable (uncheck) SIP. Disable (uncheck) RTSP. Click Apply. |
Ubiquiti | Use the configuration tree if supported: system -> conntrack -> modules -> sip -> disable Alternatively, you can SSH into the device and run the following commands:
|
Virgin SuperHub | SIP ALG cannot be disabled in the settings of SuperHubs. Please see our workarounds at the top of the page. |
Vodafone | 2018 Onwards - See Huawei (HHG2500) |
Vyatta / Brocade: | Type the following into the CLI
|
Watchguard Firewall | Detailed instructions can be found here: https://www.voicehost.co.uk/help/watchguard-firewall-sip-configuration |
ZyXEL | Under Network or Advanced -> ALG un-tick the options Enable SIP ALG and Enable SIP Transformations.
|
ZyXEL (ZyWALL USG Routers) | Go to Settings > Configuration > Network > ALG. Disable SIP ALG. Turn ON Enable SIP Transformations. Turn OFF Enable Configure SIP Inactivity Timeout. |