Written by Shea Georgetti
Please click here to check SIP ALG:
Click to check SIP ALG
Optimal results displayed below:
SIP ALG Overview:
SIP ALG (Application Layer Gateway) is a mechanism found in most routers that rewrites packets transmitted across the device. Certain protocols are processed by the application layer gateway (ALG) and rewritten to allow better flow through a firewall or when NAT (Network Address Translation) is employed. The SIP protocol is one of several protocols managed by this system.
One of the most common issues with VoIP solutions relates to audio transmission and presence of a firewall and/or NAT traversal being configured. In many cases, a properly configured system may still have audio issues when transmitting or receiving calls where only one party is heard during a call. Implementing the necessary changes to disable SIP ALG can oftentimes resolve these issues.
Where does SIP ALG Present Issues?
The problem with SIP ALG is the fact that most times, packet rewriting causes undesirable operation. The intent of the technology was to assist the packet flow of SIP and other packets and help solve NAT related problems. In this case, the ALG's function is to perform a stateful packet level inspection (SPI) of traffic coming through it. SIP messages would then be re-written by SIP ALG to allow the correct communication of signaling and voice traffic between endpoints and effective NAT traversal. The frequent result in lower end routers is however a hindrance for data transmission due to poor implementations of ALG that break SIP. Most commonly, the issues many experience relate to one-way or no audio, depending on who initiates the call.
In most cases, it is recommended that SIP ALG, SPI and SIP transformations are disabled.
Navigating SIP ALG
With most setups, it is best to disable this feature as this service usually does more harm than good. The following section will help to assist most with disabling this feature on their router. The first few sections will cover the basis of disabling SIP ALG and SPI for higher-class enterprise devices while the lower sections relate to common devices used in small offices or homes.
Cisco Router
If running a business class Cisco router, you can initiate a terminal session with an application like PuTTy or directly accessing the console. Enable privileged EXEC mode and issue the following commands where ‘ciscohost’ is the name of your router (see Figure 1 too):
ciscohost# conf t
ciscohost(config)# no ip nat service sip tcp port 5060
ciscohost(config)# no ip nat service sip udp port 5060
ciscohost(config)# do show run | inc nat service sip
Figure 1: Disabling SIP Inspection on a Cisco Router
If it worked, the next line displayed after the 'do show' command will read 'no ip nat service sip tcp port 5060' and 'no ip nat service sip udp port 5060'. After this message appears, press [CNTRL] + [z] to end the configuration session. Notice in my session, I already had this setting configured for TCP so the only line appearing references UDP.
In general though Cisco routers have a high quality SIP ALG implementation that should work well and not cause any issues.
Cisco ASA (Adaptive Security Appliance)
Unless you maintain the network at your business, you probably will not have access to the ASA. Making changes to this device is not recommended unless you know what you are doing.
Access the console and enable elevated privileges. Enter the following commands to turn of SIP inspection at a global level.
ciscofirewall# enable
Password:
ciscofirewall# conf t
ciscofirewall# policy-map global_policy
ciscofirewall# no inspect sip
ciscofirewall# show run | inc policy-map global-policy | inspect sip
ciscofirewall# end
For most Cisco ASA models, this will effectively disable SIP inspection for the entire system. If keen to learn and experiment with Cisco solutions, I suggest using the emulator furnished by GNS3. However, such configuration techniques are far beyond the scope of this article.
Cisco ASDM (Adaptive Security Device Manager)
The ASDM client for Cisco devices provides a visual interface for ASA systems, both virtual and physical. If the ASA at your business is manageable by this client, the following techniques should prove to be an easier way for accomplishing the same task compared to the command line techniques described in the previous section.
Navigate to the interface while on the same LAN by typing the IP address of the machine in a browser window. If the ADSM client resides on your machine and the system is ADSM capable, a prompt should appear that requests permission to launch the application.
Each system and version are slightly different. Essentially, you as the user will need to find the Configuration area, select the Firewall option and go into the Service Policy Rules area. (Note: systems may use slightly different verbiage for each section though the methodology described above should be exactly what is needed for most systems.)
Find something resembling a 'policy rule' area. Select an item where inspection_ precedes the object/item definition and edit the policy (usually by right-clicking though some interfaces will require selecting the item with a left-click and selecting the Edit item from the bar above).
A tab in the next menu should read something similar to Rules Actions. Find a tab or item where the work protocol is used and inspect the items in this list. Locate the SIP item and uncheck the item. Save the settings after completion.
Note that this will apply a global setting to your entire device. For port specific settings, navigate to the settings for each port and alter if necessary.
FortiGate
Similar to Cisco, you must complete this through the CLI interface which can be accessed from the web interface of the device. The following commands will disable SIP ALG and get you ready to pass phone traffic over your network. Making changes to this device is not recommended unless you know what you are doing.
Step 1 - Removing the session helper
Run the following commands:
config system session-helper
Show
After these commands you should see number 13 on this list, this will show the name of SIP, with protocol of 17 and port of 5060. This is the one that needs removed to disable SIP ALG.
Run the following commands to remove 13
delete 13
end
Step 2 - Change the default –voip –alg-mode
Run the following commands (see below if you have firmware 5.2 and above):
config system settings
set default-voip-alg-mode kernel-helper based
end
If you have firmware version 5.2 and above, these commands have changed. Run the following commands:
config voip profile
edit default
config sip
set status disable
end
end
Step 3 - Either clear sessions or reboot to make sure changes take effect
Reboot the device, or run the following command. Please note connectivity for the entire network will drop during this process.
diagnose sys sessions list clear
After this, if you run our SIP ALG checking (link at the top of this article) it should come up clear of SIP ALG
SonicWall
Like Cisco, slightly different interfaces are common, relative to the version and model of the system. Generally speaking, these devices are fairly simple to configure with administrative privileges handy. While on the LAN where the device resides, type in the IP address or host name (if DNS is configured) to access the configuration area.
From the main menu, find the 'VoIP' option that usually appears on the left menu. While in the menu, uncheck the box for SIP - it often appears as 'SIP Transformations' and then select the option to 'Enable Consistent NAT'. Accept the settings and reboot if prompted. Figure 2 shows an example of the SonicWall user interface on the page where these settings exist.
Figure 2: Disabling SIP ALG on a SonicWall Router
Understand that although this method seems quite generalized, it is the basis for disabling SIP intervention on most SonicWall systems.
Netgear
Netgear has several different interfaces. As this brand is one of the most popular for home and small business networking, variation in interfaces is common due to the large number of devices made by the company. However, the following example should provide a good reference for the more common models and show you how to disable SIP ALG on your Netgear router.
While connected to the LAN, open a browser and enter the router's IP address.
Enter the authentication credentials - defaults are usually ‘admin’ for the username and 'password' for the password.
Find the WAN setup option and locate the item where SIP is mentioned (usually, this falls under the Advanced tab).
Most models have a check-box reading something similar to 'Disable SIP ALG' in figure 3 below. Check the box, apply the settings and reboot if prompted.
Figure 3: Disabling SIP ALG on a SonicWall Router
D-Link
Like Netgear, D-Link has a variety of different interfaces but the methodology for disabling this setting is very similar for most models. Many models are equipped with a powerful set of firewall tools so several steps must be completed to ensure SIP traffic passes beyond the device.
Open a browser and enter the router's IP address in the address bar. Go to 'Firewall Settings' under the 'Advanced' item.
Uncheck the box to disable SPI - usually, directly below this item are options for 'NAT Endpoint Filtering' that must be changed to 'Endpoint Independent' for both TCP and UDP.
Next, find the 'Application Level Gateway (ALG) Configuration' area and uncheck the box for SIP.
Save these settings and reboot the device if requested. Figure 4 below shows additional details on how to configure this setting:
Figure 4: Disabling SIP ALG on a D-Link Router
AT&T (2WIRE)
At the time this article was written, most AT&T services - whether DSL or UVERSE - are packaged with a 2WIRE device. Fortunately, the company allows disabling the service with minimal headache for most models and services. Yet, some models do not have this feature making this process cumbersome.
Type in the device IP address of http://192.168.1.254 in any browser address bar. Default username is 'admin' and the password can be found on the bottom on the 2wire device.
Go to the 'Firewall' menu and then select the option for 'Applications, Pinholes and DMZ'. Select your phone adapter from the the list of IP addresses and then the radio button to 'Allow all applications (DMZplus mode)'. Save the settings and you have now put your adapter in the DMZ plus zone.
SIP ALG now needs to be disabled via the ‘Management and Diagnostic Console’ that can be accessed by entering http://192.168.1.254/mdc (note that not all models of 2wire modems can access this menu and edit the settings).
If you can access this console, click on the 'Configure Services' found under the 'Advanced' heading.
A setting notated as 'SIP Application Layer Gateway' should be unchecked - hit the [SUBMIT] item and follow any additional prompts. See figure 5 below for a screen shot:
Figure 5: Disabling SIP ALG on a AT&T 2Wire Modem
Some have stated that it is not possible to turn off this setting. Newer firmware deployments on current models (as of April 2015, when this article was originally written) may not allow disabling this option. Contacting customer service to remote into your device will be the only way to turn off this setting.
Comcast | Xfinity
At the time this article was written (April 2015), there is no possible way to disable SIP ALG on a Comcast router by yourself. Worse yet, the company will not disable this feature for most customers.
Since both residential and business customers do not have an option to disable this setting from the router configuration menu, using VoIP means one of the following options will be necessary:
Buying the Comcast / Xfinity phone service.
Hope your service transposes appropriately with SIP ALG.
Connect another router to you gateway and put it in bridge mode.
Purchase your own modem compatible with Comcast/Xfinity.
The company locks down the devices such that the only voice service allowed is Comcast/Xfinity. The recommended solution involves purchasing a compatible modem for the service where greater control is possible. At this point, contact your VoIP vendor - many have unique firmware settings to push to the device as well as instructions for applying settings for a functional service.
Final Thoughts
Most agree that SIP ALG is the ultimate bane for VoIP services. Sadly, this technology that is supposed to help such transmissions proves to be a hindrance for virtually every product and service in existence. Though many companies have a workaround, some lack a solid solution.
We are very interested in hearing your unique problems and resolutions involving this mechanism and if you would like us to investigate other routers. Please, take a moment to comment or ask a question - we would like to help as many VoIP consumers as possible!
What is SIP ALG?
SIP ALG stands for Application Layer Gateway and is common in all many commercial routers. Its purpose is to prevent some of the problems caused by router firewalls by inspecting VoIP traffic (packets) and if necessary modifying it.
How to Disable SIP ALG or SIP Transformations on Your Router for Better VoIP What is SIP ALG and Why You Need to Disable It. First a little background on SIP ALG (Application Layer Gateway).It is a security component of a router or NAT that allows VoIP traffic to pass through from the private to the public and vise a versa through the firewall when NAT and NAPT is being used. A SIP ALG can re-write SIP packet headings, which can mangle the delivery process. This can make the device you're calling believe that your phone is not behind a NAT, when in fact it is. If an ALG disrupts a call, it can lead to incoming call failure, and phones that unregister themselves. The SIP ALG is not fatal in and of itself.
Many routers have SIP ALG turned on by default.
There are various solutions for SIP clients behind NAT, some of them in the client side (STUN, TURN, ICE), others are in the server side (Proxy RTP as RtpProxy, MediaProxy).
Generally speaking, ALG works typically in the client side LAN router or gateway. In some scenarios, some client-side solutions are not valid, for example, STUN with symmetrical NAT router. If the SIP proxy doesn't provide a server-side NAT solution, then an ALG solution could have a place.
An ALG understands the protocol used by the specific applications that it supports (in this case SIP) and does a protocol packet-inspection of traffic through it. A NAT router with a built-in SIP ALG can re-write information within the SIP messages (SIP headers and SDP body) making signalling and audio traffic between the client behind NAT and the SIP endpoint possible.
Tp Link Sip Alg
How can it affect VoIP?
Even though SIP ALG is intended to assist users who have phones on private IP addresses (Class C 192.168.X.X), in many cases it is implemented poorly and actually causes more problems than it solves. SIP ALG modifies SIP packets in unexpected ways, corrupting them and making them unreadable. This can give you unexpected behaviour, such as phones not registering and incoming calls failing.
Should I Turn Off Sip Alg
Therefore if you are experiencing problems we recommend that you check your router settings and turn SIP ALG off if it is enabled.
- Lack of incoming calls: When a UA is switched on it sends a REGISTER request to the proxy in order to be localisable and receive any incoming calls. This REGISTER is modified by the ALG feature (if not the user wouldn't be reachable by the proxy since it indicated a private IP in REGISTER 'Contact' header). Common routers just maintain the UDP 'connection' open for a while (30-60 seconds) so after that time the port forwarding is ended and incoming packets are discarded by the router. Many SIP proxies maintain the UDP keepalive by sending OPTIONS or NOTIFY messages to the UA, but they just do it when the UA has been detected as NAT'd during the registration. A SIP ALG router rewrites the REGISTER request to the proxy doesn't detect the NAT and doesn't maintain the keepalive (so incoming calls will be not possible).
- Breaking SIP signalling: Many of the actual common routers with inbuilt SIP ALG modify SIP headers and the SDP body incorrectly, breaking SIP and making communication just impossible. Some of them do a whole replacing by searching a private address in all SIP headers and body and replacing them with the router public mapped address (for example, replacing the private address if it appears in 'Call-ID' header, which makes no sense at all). Many SIP ALG routers corrupt the SIP message when writing into it (i.e. missed semi-colon ';' in header parameters). Writing incorrect port values greater than 65536 is also common in many of these routers.
- Disallows server-side solutions: Even if you don't need a client-side NAT solution (your SIP proxy gives you a server NAT solution), if your router has SIP ALG enabled that breaks SIP signalling, it will make communication with your proxy impossible.
Sip Alg Detector
I have disabled SIP ALG but I'm still experiencing problems...
If you are still having problems after disabling SIP ALG, please check your firewall configuration.
I can't disable SIP-ALG? How to Circumnavigate any networking vendors broken implementation of SIP ALG
- Enable TLS on SIP Endpoints, VoiceHost supports TLS which masks SIP signalling from the prying eyes of ALG functionality.
- Enable IPv6 on SIP Endpoints. Practically this is not a realistic option for users requiring mobility but for static locations, this does remove the requirement (Must be supported by your ISP). Most Internet providers do not fully support pure IPv6
- Change you Router Obviously a last resort if all else fails.
Asus Routers | Disable the option SIP Passthrough under Advanced Settings / WAN -> NAT Passthrough. nvram get nf_sip nvram set nf_sip=0 |
AVM Fritz!Box | SIP ALG cannot be disabled. (See above on how to get around this) |
Barracuda Firewalls | Go to Firewall > Firewall Rules > Custom FirewallAccess Rules Click the 'Disabled' check box next to any rules named LAN-2-INTERNET-SIP and INTERNET-2-LAN-SIP This disables SIP ALG. |
Billion | Navigate to the web interface |
BT (Homehubs) | SIP ALG cannot be disabled in the settings of BT HomeHubs but can be disabled with BT Business Hub versions 3 and higher. |
Cisco RV Range | -> Go to System Summary and ensure that the firmware is up to date (1.1.1.06 or later). -> f needed, update firmware by going to System Management > Firmware Upgrade. -> Go to Firewall > General. -> Ensure that Firewall and Remote Management are enabled (checked). -> Ensure that the following are disabled (unchecked): -> SPI (Stateful Packet Inspection) -> DoS (Denial of Service) -> Block WAN Request -> SIP ALG -> Click Save. -> Browse to IPADDRESS/f_general_hidden.htm. -> Set UDP Timeout to 300 seconds. -> Go to Firewall > Access Rules. -> Whitelist VoiceHost IP ranges Save all changes. |
D-Link | In 'Advanced' settings --> 'Application Level Gateway (ALG) Configuration' un-tick the 'SIP' option. |
DD-WRT | No ALG function available - Consider using a public STUN server |
DrayTek | DrayTek Vigor 2760 devices, the option can be found in the regular interface at Network -> NAT -> ALG. If your device does not have a web interface then you'll need a telnet client. You will be prompted to provide a username and/or password. These are the same credentials used to access the router's web interface. Afterwards, type in these commands:
On Draytek Vigor2750 and Vigor2130 please use these commands instead:
|
EE | Huawei E5330 Navigate to the web interface |
Fortinet | Fortigate: Disabling the SIP ALG in a VoIP profile
|
Huawei | The SIP ALG setting is usually found in the Security menu.
|
Juniper | Type the following into the CLI
|
Linksys: | Check for a SIP ALG option in the Administration tab under 'Advanced'. |
Mikrotik | Disable SIP Helper. |
Netgear | Look for a 'SIP ALG' checkbox in 'WAN' settings. Under 'NAT Filtering' uncheck the option 'SIP ALG' |
openwrt | No ALG feature - Consider using a public STUN server |
PfSense | |
SonicWALL Firewall | Under the VoIP tab, the option 'Enable Consistent NAT' should be enabled and 'Enable SIP Transformations' unchecked. |
Speedtouch | To disable SIP ALG you need to telnet into your Speedtouch router and type the following: -> connection unbind application=SIP port=5060 |
TalkTalk | 2017/18 See Huawei (HG633)
|
Technicolor / ThompsonTG588 TG589 TG582 DWA0120 | Open Command Prompt – “Start” → “Run” → type “cmd” and press “Enter”. In Command Prompt, type “telnet 192.168.1.254” and press enter. 192.168.1.254 is the default IP address of the router. If you are running on Windows 7/8/8.1/10, you might need to install the telnet client from “Control Panel” → “Programs and Features” → “Turn Windows features on and off”. The default username is “Administrator”, and there is no default password, leave blank. Type “connection unbind application=SIP port=5060” and press “Enter”. Type “ saveall ” and press “Enter”. Type “exit” and press “Enter” to exit the telnet session. |
Tomato | Depending on the version of Tomato, SIP ALG can be found under Advanced then Conntrack/Netfilter in the Tracking/NAT Helpers section. If you find SIP checked then SIP ALG is enabled. Uncheck it to disable it. |
TP-Link | Navigate to your routers web interface. The default username is admin and the default password is admin. On the left, click on Advanced Setup and then click on NAT and then click on ALG. Uncheck the box by SIP Enabled. (Some TP firmware shows this as SIP Transformations which is the same thing). Click Save/Apply. |
UBEE Gateways | Go to Advanced > Options. Disable (uncheck) SIP. Disable (uncheck) RTSP. Click Apply. |
Ubiquiti | Use the configuration tree if supported: system -> conntrack -> modules -> sip -> disable Alternatively, you can SSH into the device and run the following commands:
|
Virgin SuperHub | SIP ALG cannot be disabled in the settings of SuperHubs. Please see our workarounds at the top of the page. |
Vodafone | 2018 Onwards - See Huawei (HHG2500) |
Vyatta / Brocade: | Type the following into the CLI
|
Watchguard Firewall | Detailed instructions can be found here: https://www.voicehost.co.uk/help/watchguard-firewall-sip-configuration |
ZyXEL | Under Network or Advanced -> ALG un-tick the options Enable SIP ALG and Enable SIP Transformations.
|
ZyXEL (ZyWALL USG Routers) | Go to Settings > Configuration > Network > ALG. Disable SIP ALG. Turn ON Enable SIP Transformations. Turn OFF Enable Configure SIP Inactivity Timeout. |