SIP ALG: What Is It & Why VoIP Users Should Disable It

SIP ALG: What Is It & Why VoIP Users Should Disable It

SIP ALG: What Is It & Why VoIP Users Should Disable It


So, you set up your PENGUIN phone system, but you're experiencing dropped calls, no incoming calls, or your phone keeps ringing after you pick up.
The good news is that you will be able to instantly resolve your Voice over IP issues once you disable SIP ALG.
In this updated guide, we'll cover why SIP ALG must be turned off, and we'll include tips to optimize your network for PENGUIN phone service.

What is SIP ALG?

SIP ALG is a feature found in most networked routers, operating as a function of its firewall. It consists of two different technologies, explained below:

  • Session Initiation Protocol (SIP) - The underlying service that powers all Voice over Internet Protocol (VoIP) phones, apps, and devices. SIP manages registering devices, maintaining call presence, and overseeing the call audio. Read more about SIP in our deep dive here.
  • Application Layer Gateway (ALG) - Routers segments your ISP and your internal network through a process known as Network Address Translation (NAT). An ALG acts as a proxy to rewrite the destination addresses in data packets for improved connectivity.

The problem with SIP ALG is the packet rewriting aspect of it. SIP ALG can be useful to mitigate multiple NATs, but it doesn't help the vast majority. Let's take a more in-depth look at what's happening with these data packets.

Examples of a modified packet (SIP ALG).
SIP ALG modifies the destination addresses of VoIP packets causing reliability issues.


The diagram above shows that the Application Layer Gateway changes the destination public IPs in SIP packets. Certain commercial routers are smart enough to inspect the SIP messages themselves to leave private IP addresses alone.

Today's office PBX systems, conference calls, and even audio/video conferencing rely on SIP. Signaling protocols like SDP, RTP, and RTSP all face the same issues because they are a subset of SIP packets.


Signs SIP ALG affects VoIP calls

There are a few categories of symptoms SIP ALG could affect VoIP phone. It's not always apparent, especially since these issues often happen silently without users knowing.

One-way audio (only one person can hear the other)
Phones do not ring when called
Calls drop after being connected
Calls going straight to voicemail for no known reason

What's happening is that some VoIP traffic is lost between the phone and the VoIP service provider. This interruption is happening because of router firewalls. This traffic is essential to maintaining the phone's availability and selecting the proper audio codecs.

Many routers default SIP ALG to on within their device's firmware. Thanks to easy and simple web interfaces, simply check or uncheck a box. Pictured below is an example:

Example Showing How to Turn Off SIP Application Layer Gateway (TP-Link)
Disabling SIP ALG is often as simple as unchecking a box. (TP-Link Archer A9).

How do I turn off SIP ALG?

To disable SIP ALG, you will need to log into your router. Your router can also function as a modem for some broadband gateways. Popular brands of routers include Cisco, Linksys, Netgear, D-Link, Asus, and TP-Link.

We've compiled a list of the top routers and included links to disable the Application Layer Gateway, which can interfere with VoIP calls.

In most cases, you will need to sign in to your router with the admin password. Look under its security settings, uncheck SIP ALG, save and reboot your router. More advanced corporate firewalls may require further adjustment, such as port forwarding.

Router ManufacturerSteps to Disable SIP ALG
Actiontec
  1. Select Advanced, click Yes to accept the warning, then click ALG’s.
  2. Ensure SIP ALG is disabled by removing the check.
  3. Click Apply.
  4. Select Advanced, click Yes to accept the warning, then click Remote Administration.
  5. Click the checkbox to Allow Incoming WAN ICMP Echo Requests (for traceroute and ping), then click Apply.
Adtran
  1. Under Firewall, go to Firewall / ACLs.
  2. Click on ALG Settings.
  3. Uncheck the box labeled SIP ALG
  4. Click Apply.

If you are using the terminal, issue the following command: 
no ip firewall alg sip

ArrisMost Arris broadband gateways:

  1. Navigate to the gateway’s IP (192.168.0.1).
    Username: admin Password: motorola
  2. Navigate to Advanced, then Options.
  3. Uncheck the SIP box.
  4. Click Apply.

Arris BGW210

  1. Navigate to 192.168.1.254.
    Authenticate without a username, and use the password located on the unit’s sticker.
  2. Under the Firewall section, click on Advanced Firewall.
  3. Change the Set SIP ALG setting to off.
  4. Turn off the Authentication Header Forwarding.
  5. Turn off ESP Header Forwarding.
  6. Click Save.
Asus
  1. Under the Advanced Settings section, click WAN.
  2. Click the NAT Passthrough tab.
  3. Change the SIP Passthrough setting to “Disable.”
  4. Click Apply.
AT&T

U-Verse Pace 5268AC Gateway 
This broadband gateway does not support disabling SIP ALG. We recommend configuring your gateway to function only as a modem, not a router (Bridge Mode). You will need to use another router that supports disabling SIP ALG.

Cisco

Cisco General and Enterprise-Class routers: 
no ip nat service sip tcp port 5060
no ip nat service sip udp port 5060

Cisco PIX routers:
no fixup protocol sip 5060
no fixup protocol sip udp 5060

Cisco ASA routers:
Locate ‘Class inspection_default’ under ‘Policy-map global_policy’. Execute this command: no inspect sip

D-Link
  1. Click on Advanced Settings.
  2. Locate the Application Level Gateway (ALG) Configuration.
  3. Uncheck the SIP option.
  4. Click Save.

DIR-655:

  1. Click Advanced, located along the top.
  2. Click Firewall Settings on the left side of the screen.
  3. Uncheck Enable SPI
  4. Set both UDP and TCP Endpoint Filtering to Endpoint Independent.
  5. Uncheck SIP from Application Level Gateway Configuration.
  6. Click Save.
Fortinet
  1. Use the following commands from the CLI interface:
    config system session-helper
    show system session-helper
  2. Find the SIP session instance, typically indicated by #12
  3. Delete #12 or the appropriate number
  4. Confirm its deletion by executing this command:
    show system session-helper. For more guidance, follow this article.
Linksys

Linksys Smart Wi-Fi (E-series):

  1. On the left side of the screen, click on Connectivity.
  2. Click the Administration tab.
  3. Under Application Layer Gateway, verify SIP is unchecked.
  4. Click Apply or Save.

Older Linksys models:

  1. Go to the ‘Advanced’ section on the Admin page
  2. Disable the SIP ALG feature.

Linksys BEFSR41 routers:

  1. Click on Applications and Gaming on the Admin page.
  2. Click on Port Triggering. 
  3. Type in ‘TCP’ as the application.
  4. Type in ‘5060’ into the Start Port and End Port for the ‘Triggering Range’ and ‘Forwarded Range’ fields.
  5. Check ‘Enable’.
  6. Click on Save and Reboot.
MikrotikFor Mikrotik routers, SIP ALG is known as SIP Helper. 

  1. Use the company’s winbox software.
  2. Navigate to IP, then Firewall.
  3. Click on the Service Ports tab and disable it through the GUI.
  4. You may also run this command from the terminal:
    /ip firewall service-port disable sip
Netgear

For Netgear routers with the Genie interface: 

  1. Select the Advanced tab at the top.
  2. Expand the Setup menu on the left side of the screen.
  3. Click WAN Setup.
  4. Check the box labeled Disable SIP ALG.

Other Netgear routers: 

  1. Under the Security/Firewall, click on Advanced Settings.
  2. Disable SIP ALG.
  3. Locate Session Limit under Security/Firewall.
  4. Increase the UDP timeout to 300 sec.
SonicWall
  1. Under System Setup on the left side of the screen, click on VoIP.
  2. Check ‘Enable Consistent NAT’
  3. Uncheck ‘Enable SIP Transformations’.
  4. Click Accept.
  5. To increase UDP timeouts, navigate to the Firewall Settings, then Flood Protection.
  6. Click on the UDP tab and modify the default UDP connection timeout to 300 seconds.
  7. Click the Accept button to save the changes. For more information, consult this support article.
TP-Link

Newer TP-Link routers (Archer series): 

  1. Click on the Advanced Tab.
  2. Expand the NAT Forwarding menu on the left side of the screen.
  3. Uncheck SIP ALG, RTSP ALG, and H323 ALG checkboxes.
  4. Click Save.

Older TP-Link routers:

  1. Use the Telnet client from the Command Prompt.
  2. Apply the following command:
    ip nat service sip sw off
UBEE
  1. Go to Advanced, then Options.
  2. Uncheck the SIP and the RTSP checkboxes.
  3. Click Apply.
Ubiquiti

UniFi Security Gateway

  1. Sign in to your UniFi security gateway.
  2. Click on Routing & Firewall along the left side.
  3. Click the Firewall tab at the top and click Settings from the sub-menu.
  4. Toggle H.323 and SIP to off.
  5. Click the Apply Changes button.

EdgeRouters (ER-x)

  1. Access the router’s administrative interface, typically at 192.168.1.1.
  2. Use the Config Tree or a command-line interface to disable SIP ALG.

Config Tree:

  1. Select config tree in the top right-hand corner.
  2. Expand system, conntrack, modules, and sip.
  3. Click the plus sign next to disable.
  4. Click the Preview option.
  5. Click Apply.

Command Line Interface:

  1. From the administrative interface, choose CLI located at the top right corner of the screen.
  2. From here, we can also increase UDP timeouts as well.
  3. Enter these commands into the terminal:
    configure
    set system conntrack modules sip disable
    set system conntrack timeout udp stream 300
    set system conntrack timeout udp other 300
    commit
    save
    exit
Verizon FiOS

G1100

This broadband gateway does not support disabling SIP ALG. We recommend configuring your gateway to function only as a modem, not a router. You will need to use another router that supports disabling SIP ALG.

ZyXEL

ZyXEL ZyWALL/USG60:

  1. Click on Configuration and expand the Network settings.
  2. Click ALG along the left side.
  3. Uncheck all the checkboxes on the right side:
    1. Uncheck Enable SIP ALG.
    2. Uncheck Enable SIP Transformations.
  4. Click Apply.
  5. For more information, consult this help article.

ZyXEL C1000Z/C1100Z (CenturyLink): 

  1. Click on Advanced Setup.
  2. Click on SIP ALG along the left side.
  3. Toggle the SIP ALG setting to Disable.
  4. Click Apply.

ZyXEL P600: 

  1. Telnet to the router (192.168.1.1) and enter the password.
  2. The default password is 1234. Type “24” and press enter.
  3. Then “8” and press enter.
  4. Provide this command:
    ip nat service sip active 0 
  5. When done, press Enter.


Why disable SIP ALG?

Conventional wisdom would suggest that an Application-Level Gateway is supposed to be enabled. After all, many consumer and commercial router settings even default SIP ALG to on.

As a feature in most broadband routers, SIP ALG was introduced with good intentions in response to the limitations of Network Address Translation. Unfortunately, it interferes with the built-in functionality of IP and signaling protocols. It’s no longer necessary with today’s VoIP applications.

Since ALGs exist at the Application Layer of the OSI Model, it doesn’t consider the datagrams within transport protocols like UDP or TCP. VoIP signaling protocols solve these common issues by including the public and private IP addresses in every packet.

Some routers try to improve security by terminating open connections in the firewall. Dubbed a "firewall pinhole," it means that traffic can work momentarily, but when a SIP proxy drops packets, it can affect VoIP calls after you establish them.

Visualizing where SIP ALG in a Network Diagram.
Most routers include a built-in Application Layer Gateway that interferes with VoIP calls.

You should disable SIP ALG because it:

Interrupts SIP traffic like calls and conferencing apps.
Affects the perceived reliability of desk phones.
Isn't needed when using cloud-based VoIP providers.

For almost all VoIP users with PENGUIN, the best practice is to turn off SIP ALG entirely.

The only reason why you would enable SIP ALG is if your router manufacturer or VoIP provider has instructed you. Given the prominence of VoIP and Application Layer Gateways, they will provide proper settings to work with your VoIP provider.


    • Related Articles

    • Common VoIP Issues

      EXPERIENCING VOIP PROBLEMS? Voice quality issues with a VoIP system can be frustrating and can also impact business operations. In this post, we’ll discuss common VoIP issues, and how to troubleshoot them. Voice-over-IP (VoIP) systems have ...

    • Network Equipment Compatibility

      Use this guide to determine if your network equipment is compatible with Penguin VoIP phone service. The Session Initial Protocol Application Layer Gateway (SIP ALG) and Stateful Packet Inspection (SPI) need to be disabled on most routers and ...

    • Router Setting Guidelines

      Describes recommended settings that may be needed for your routers, firewalls, or modem/router combinations to work with Penguin service. These changes are generally made using your device’s web interface. After you make any changes, restart your ...

    • Bandwidth and VoIP

      Bandwidth is a measure of how much data your connection can transfer at one time. A lack of bandwidth can negatively affect the sound quality of your Penguin service. The number of computers at the same location and on the same network as your ...

    • Penguin Requirements and Best Practices

      Ethernet Cabling Requirements Cat5e or better cabling infrastructure and patch cables are required.  Cat6e or better are preferred for gigabit switching.  Switching Requirements For most installations standard switches will function just fine however ...