The Session Initiation Protocol, SIP, is at the core of a business VoIP system and is responsible for messages sent between endpoints. With it, you can easily make and receive voice calls, do video conferencing, send instant messaging, and other forms of media distribution.

So, as a VoIP user, you’ve set up your VoIP system, but you encounter some issues. You can’t seem to get a good audio quality, and the calls keep dropping, or your phone keeps ringing after you pick it up. This is not unusual, and you may resolve it by disabling SIP ALG.

In this article, we’ll cover what SIP ALG is and why you should disable it. You will also learn how to turn off SIP ALG and improve your VoIP phone service. Let’s dive right in!

What is SIP ALG?

SIP ALG stands for Session Initiation Protocol Application Layer Gateway. It is mostly found in commercial routers to prevent firewall-related issues by inspecting VoIP data packets and modifying them.

The SIP ALG acts as an independent firmware and works in the client-side LAN gateway, helping users initiate SIP calls more seamlessly. The VoIP audio data packets are then sent over the net. This process is meant to improve call quality but normally fails to do so.

Many routers have SIP ALG turned on by default. However, it mostly hinders the quality of SIP calls because of the delicate nature of data packets and the multi-process nature of SIP. This is why many SIP providers will advise you to disable the feature on your router.

Signs SIP ALG is Affecting VoIP Calls

There are many signs to tell if SIP ALG is affecting your VoIP calls. Here are some of the most common ones:

  • One-way or no-way audio
  • Outbound or inbound calls fail to connect
  • No incoming calls
  • Audio permanently cuts out while on a call
  • Calls drop after being connected
  • Phones do not ring when called
  • Phones continue to ring but can’t be answered
  • Unable to call another extension on its network
  • Calls going to voicemail
  • Breaking SIP signaling
  • No communication with your SIP trunking proxy

If you are experiencing any of these, check your router settings and turn off SIP ALG. Before we go over how to do that, let us look into why it’s necessary to disable SIP ALG.

Why Disable SIP ALG?

Every time the VoIP system confirms a connection in SIP calls, ALG inspects and modifies the SIP packets being sent. This erratic modification intended to improve call quality ends up worsening it.

The change from private IP addresses to Public is done by scripting, which sometimes causes message information loss. This, in turn, affects VoIP call quality. That’s why the best practice is to turn off SIP ALG entirely. Other reasons you should disable SIP ALG is because it:

  • Cuts SIP calls
  • It’s not useful for cloud-based VoIP providers.
  • Negatively impacts the reliability of desk phones and VoIP apps.

How Do I Turn Off SIP ALG on My Router?

RouterHow to disable SIP ALG
Asus1. Disable the option SIP Passthrough under Advanced Settings / WAN -> NAT Passthrough.

2. Another option to disable SIP is via Telnet. 

To do it manually enter the command:

nvram get nf_sip

It should return a “1”)

nvram set nf_sip=0

nvram commit

Finally, reboot
Actiontec1. Select Advanced, click Yes to accept the warning, then click ALG’s.

2.Ensure SIP ALG is disabled by removing the check and click Apply.

3. Select Advanced, click Yes to accept the warning, then click Remote Administration.

4. Check the box to Allow Incoming WAN ICMP Echo Requests, then click Apply.
ArrisFor Most Arris broadband gateways:

1. Go to the gateway’s IP (192.168.0.1).

2. Use the Username: admin and Password: motorola

3. Go to Advanced, then Options.

4. Uncheck the SIP box and click Apply.

For Arris BGW210

1. Go to 192.168.1.254.

2. Authenticate without a username, and use the password located on the unit’s sticker.

3. Under the Firewall, click on Advanced Firewall.

4. Turn off the Set SIP ALG setting.

5. Turn off the Authentication Header Forwarding.

6. Turn off ESP Header Forwarding and Click Save.
Barracuda Firewalls1. Go to Firewall > Firewall Rules > Custom Firewall Access Rules

2. Click the “Disabled” check box next to any rules named LAN-2-INTERNET-SIP and INTERNET-2-LAN-SIP
Billion1. Go to the web interface

2. Select Configuration

3. Select NATSelect ALG

4. Disable SIP ALG
Cisco For RV Range

(RV082, RV016, RV042, RV042G, RV325)

1. Go to System Summary and ensure that the firmware is up to date (1.1.1.06 or later).

2. Update firmware by going to System Management > Firmware Upgrade.

3. Go to Firewall > General.

4. Ensure that Firewall and Remote Management are checked.

5. Ensure that the following are disabled:

a. SPI (Stateful Packet Inspection)
b. DoS (Denial of Service)
c. Block WAN Request
d. SIP AL

6. Click Save.

7. Browse to IPADDRESS/f_general_hidden.htm.

8. Set UDP Timeout to 300 seconds

9. Go to Firewall > Access Rules

10. Whitelist VoiceHost IP ranges and save all changes.

For Cisco General and Enterprise-Class routers:

Execute these commands:

no ip nat service sip tcp port 5060

no ip nat service sip udp port 5060 

For Cisco PIX routers:

Execute these commands:

no fixup protocol sip 5060

no fixup protocol sip udp 5060 

For Cisco ASA routers:

Go to ‘Class inspection_default’ under ‘Policy-map global_policy’.

Execute this command:

no inspect sip
D-LinkFor most D-Link gateways: 

1. Click on Advanced Settings.

2.Locate the Application Level Gateway (ALG) Configuration.

3. Uncheck the SIP option and Click Save. 

For DIR-655:

1. Click Advanced.

2. Click Firewall Settings

3. Uncheck Enable SPI

4. Set both UDP and TCP Endpoint Filtering to Endpoint Independent.

5. Uncheck SIP from Application Level Gateway Configuration and Click Save.
DrayTekFor DrayTek Vigor 2760 devices: 

1. Go to the regular interface at Network -> NAT -> ALG.

2. If you don’t have a web interface, then you’ll need a telnet client.

3. You will be prompted to provide a username and password, which are the same you’d have used to access the web interface.

4. Next, type in these commands:

sys sip_alg 0

sys commit

For Draytek Vigor2750 and Vigor2130, type these commands: 

kmodule_ctl nf_nat_sip disable

kmodule_ctl nf_conntrack_sip disable
EE / Huawei (E5330)1. Go to the web interface

2. Click Settings.

3. Enter the username (admin) and password (admin), then click Log In.

4. Click the Security dropdown.

5. Click SIP ALG Settings.

6. Uncheck the Enable SIP ALG box and Click Apply.
FortinetFirst method: 

1. Execute these commands from the CLI interface:

config system session-helper

show system session-helper

2. Find the SIP session instance indicated by #12

3. Delete #12 or the appropriate number

4. Confirm it is deleted by executing this command:

show system session-helper 

The second method is disabling the SIP ALG in a VoIP profile. If you are using the VoIP profile for SCCP, execute the following command:

config voip profil

eedit VoIP_Pro_2

config sip

set status disable

end
JuniperIn the CLI interface: 

First, check if SIP ALG is currently enabled or disabled by running:

show security alg status | match sip 

To disable, execute the following command:

configure

set security alg sip disable

commit
LinksysFor Linksys Smart Wi-Fi (E-series):

1. On the left side of the screen, click on Connectivity.

2. Click the Administration tab.

3. Under Application Layer Gateway, verify SIP is unchecked. Then Click Apply. 

For Linksys BEFSR41 routers:

1. On the Admin page, Click Applications and Gaming.

2. Click Port Triggering.

3. Enter ‘TCP’ as the application.

4. Enter ‘5060’ into the Start Port and End Port for the ‘Triggering Range’ and ‘Forwarded Range’ fields.

5. Check ‘Enable’.

6. Save and Reboot. 

For older Linksys models:

1. Go to the ‘Advanced’ section on the Admin page

2. Disable the IP ALG feature.
MikrotikHere, SIP ALG is SIP Helper.

1. Use the company’s winbox software.

2. Go to IP, then Firewall.

3. Click on the Service Ports tab and disable it through the GUI. 

Alternatively, run this command from the terminal:

 /ip firewall service-port disable sip
NetgearFor Netgear routers with the Genie interface:

1. Go to Advanced tab.

2. Expand the Setup menu

3. Click WAN Setup.

4. Check “Disable SIP ALG” box.

5. Port Scan, DoS Protection and STUN in VoIP settings should also be disabled. 

For other Netgear routers:

1. Under the Security/Firewall, Click Advanced Settings.

2. Disable SIP ALG.

3. Locate Session Limit

4. Increase UDP timeout to 300 sec.
SonicWall1. Under System Setup, Go to the VoIP tab.

2. Check ‘Enable Consistent NAT’

3. Uncheck ‘Enable SIP Transformations’.

4. Click Accept.

5. To increase UDP timeouts, go to the Firewall Settings, then Flood Protection.

6. Click on the UDP tab and modify the UDP timeout to 300 seconds.

7. Click Accept
Technicolor / ThompsonTG588 TG589 TG582 DWA01201. Open Command Prompt. Type cmd and press Enter.

2. Type telnet 192.168.1.254 (the default IP address of the router) and press Enter.

3. If you are running on Windows 7/8/8.1/10, you will need to install the telnet client.

4. The default username is “Administrator”. Leave the password empty.

5. Type connection unbind application=SIP port=5060 and press Enter.

6. Type saveall and press Enter.

7. Type exit and press Enter

SIP ALG Summary & Takeaways

Disabling SIP ALG can be the solution to several issues with VoIP calls. Unfortunately, many technicians overlook this, but it is a factor worth considering to improve your virtual phone’s performance and effectiveness.

  • Many routers have SIP ALG turned on by default.
  • The best practice for VoIP users is to turn off SIP ALG entirely.
  • If the problems continue after disabling SIP ALG, check your firewall configuration.