SIP ALG and Why it should be disabled on your Router

What is SIP ALG?

SIP ALG stands for Application Layer Gateway, and is common in many commercial routers. It intends to prevent some of the problems caused by router firewalls by inspecting VoIP traffic (packets) and if necessary modifying it.

Many routers have SIP ALG turned on by default.

There are various solutions for SIP clients behind NAT, some of them in client side (STUN, TURN, ICE), others in server side (Proxy RTP as RtpProxy,MediaProxy). ALG works typically in the client LAN router or gateway. In some scenarios some client side solutions are not valid, for example STUN with symmetrical NAT router. If the SIP proxy doesn't provide a server side NAT solution, then an ALG solution could have a place.

An ALG understands the protocol used by the specific applications that it supports (in this case SIP) and does a protocol packet-inspection of traffic through it. A NAT router with a built-in SIP ALG can re-write information within the SIP messages (SIP headers and SDP body) making signaling and audio traffic between the client behind NAT and the SIP endpoint possible.

How can it affect VoIP?

Even though SIP ALG is intended to assist users who have phones on private IP addresses, in many cases it is implemented poorly and actually causes more problems than it solves. SIP ALG modifies SIP packets in unexpected ways, corrupting them and making them unreadable. This can give you unexpected behaviour, such as phones not registering and incoming calls failing.

Therefore if you are experiencing problems we recommend that you check your router settings and turn SIP ALG off if it is enabled.

  • Lack of incoming calls: When a UA is switched on it sends a REGISTER to the proxy in order to be localizable and receive incoming calls. This REGISTER is modified by the ALG feature (if not the user wouldn't be reachable by the proxy since it indicated a private IP in REGISTER "Contact" header). Common routers just mantain the UDP "conntection" open for a while (30-60 seconds) so after that time the port forwarding is ended and incoming packets are discarded by the router. Many SIP proxies mantain the UDP keepalive by sending OPTIONS or NOTIFY messages to the UA, but they just do it when the UA has been detected as natted during the registration. A SIP ALG router rewrites the REGISTER request so the proxy doesn't detect the NAT and doesn't mantain the keepalive (so incoming calls will be not possible).
  • Breaking SIP signalling: Many of the actual common routers with inbuilt SIP ALG modify SIP headers and the SDP body incorrectly, breaking SIP and making communication just impossible. Some of them do a whole replacing by searching a private address in all SIP headers and body and replacing them with the router public mapped address (for example, replacing the private address if it appears in "Call-ID" header, which makes no sense at all). Many SIP ALG routers corrupt the SIP message when writting into it (i.e. missed semi-colon ";" in header parameters). Writting incorrect port values greater than 65536 is also common in many of these routers.
  • Dissallows server side solutions: Even if you don't need a client side NAT solution (your SIP proxy gives you a server NAT solution), if your router has SIP ALG enabled that breaks SIP signalling, it will make communication with your proxy impossible.

I have disabled SIP ALG but I'm still experiencing problems...

If you are still having problems after disabling SIP ALG, please check your firewall configuration.

How do I turn off SIP ALG?

Asus Routers:

Disable the option SIP Passthrough under Advanced Settings / WAN -> NAT Passthrough.

If your router doesn't have this option SIP ALG may be disabled via Telnet.

AVM Fritz!Box:

SIP ALG can not be disabled.

Billion:

Check for a SIP ALG option in the NAT or Firewall settings.

BT:

SIP ALG can not be disabled in the settings of BT HomeHubs, but can be disabled with BT Business Hub versions 3 and higher.

D-Link:

In 'Advanced' settings --> 'Application Level Gateway (ALG) Configuration' un-tick the 'SIP' option.

DrayTek:

With Vigor2760 devices the option can be found in the regular interface at Network -> NAT -> ALG.

With all other devices you'll need a telnet client.

On Windows systems press the Windows Start button, search for cmd and hit enter.

Type in telnet 192.168.1.1 and hit enter again.

If you don't have the Windows telnet client installed, please go to Start -> Control Panel -> Programs -> Programs and Features -> Turn Windows Features on or off and ensure Telnet Client is checked and click OK.

You will be prompted to provide a username and/or password. These are the same credentials used to access the router's web interface.

Afterwards, type in these commands:

sys sip_alg 0

sys commit

On Draytek Vigor2750 and Vigor2130 please use these commands instead:

kmodule_ctl nf_nat_sip disable

kmodule_ctl nf_conntrack_sip disable

Huawei:

The SIP ALG setting is usually found in the Security menu.

Linksys:

Check for a SIP ALG option in the Administration tab under Advanced.

May also need to disable the SPI Firewall option.

Mikrotik:

Disable SIP Helper.

Netgear:

Look for a 'SIP ALG' checkbox in 'WAN' settings.

Port Scan and DoS Protection should also be disabled.

Disable STUN in VoIP phone's settings.

SonicWALL Firewall:

Under the VoIP tab, the option 'Enable Consistent NAT' should be enabled and 'Enable SIP Transformations' unchecked.  

Speedtouch

Telnet commands must be used to disable SIP ALG with some Speedtouch routers. Please refer to the manufacturers support documentation.

TP-Link:

How to Disable SIP ALG on TP-Link ADSL modem router

Virgin SuperHub:

SIP ALG can not be disabled in the settings of SuperHubs. Please click here for advice on troubleshooting issues with SuperHub devices.

Zyxel:

Under Network or Advanced -> ALG un-tick the options Enable SIP ALG and Enable SIP Transformations.

Telnet commands must be used to disable SIP ALG with some other Zyxel routers. Please refer to the manufacturers support documentation.

Videos

Call Encryption - TLS/SRTP walkthrough
Embedded thumbnail for Call Encryption - TLS/SRTP walkthrough
Hosted Directory LDAP - Lightweight Directory Access Protocol
Embedded thumbnail for Hosted Directory LDAP - Lightweight Directory Access Protocol
Cloud PBX Explainer
Embedded thumbnail for Cloud PBX Explainer
Zoiper Softphone Configuration
Embedded thumbnail for Zoiper Softphone Configuration
Call Conferencing
Embedded thumbnail for Call Conferencing
Receptionist Console
Embedded thumbnail for Receptionist Console

Search Help Portal

Get in touch

VoiceHost Limited
Norfolk Tower
Surrey Street
Norwich
NR1 3PA

UK Freephone 0800 2 545454

International +44 1603904090

support [at] voicehost.co.uk

Connect With Us

Download the iOS App from the Apple App Store

Get the Android app from the Google Play store