What is SIP ALG and Why VoIP Users Should Disable It?
The Session Initiation Protocol, SIP, is at the core of a business VoIP system and is responsible for messages sent between endpoints. With it, you can easily make and receive voice calls, do video conferencing, send instant messaging, and other forms of media distribution.
So, as a VoIP user, you’ve set up your VoIP system, but you encounter some issues. You can’t seem to get a good audio quality, and the calls keep dropping, or your phone keeps ringing after you pick it up. This is not unusual, and you may resolve it by disabling SIP ALG.
In this article, we’ll cover what SIP ALG is and why you should disable it. You will also learn how to turn off SIP ALG and improve your VoIP phone service. Let’s dive right in!
What is SIP ALG?
SIP ALG stands for Session Initiation Protocol Application Layer Gateway. It is mostly found in commercial routers to prevent firewall-related issues by inspecting VoIP data packets and modifying them.
The SIP ALG acts as an independent firmware and works in the client-side LAN gateway, helping users initiate SIP calls more seamlessly. The VoIP audio data packets are then sent over the net. This process is meant to improve call quality but normally fails to do so.
Many routers have SIP ALG turned on by default. However, it mostly hinders the quality of SIP calls because of the delicate nature of data packets and the multi-process nature of SIP. This is why many SIP providers will advise you to disable the feature on your router.
Signs SIP ALG is Affecting VoIP Calls
There are many signs to tell if SIP ALG is affecting your VoIP calls. Here are some of the most common ones:
- One-way or no-way audio
- Outbound or inbound calls fail to connect
- No incoming calls
- Audio permanently cuts out while on a call
- Calls drop after being connected
- Phones do not ring when called
- Phones continue to ring but can’t be answered
- Unable to call another extension on its network
- Calls going to voicemail
- Breaking SIP signaling
- No communication with your SIP trunking proxy
If you are experiencing any of these, check your router settings and turn off SIP ALG. Before we go over how to do that, let us look into why it’s necessary to disable SIP ALG.
Why Disable SIP ALG?
Every time the VoIP system confirms a connection in SIP calls, ALG inspects and modifies the SIP packets being sent. This erratic modification intended to improve call quality ends up worsening it.
The change from private IP addresses to Public is done by scripting, which sometimes causes message information loss. This, in turn, affects VoIP call quality. That’s why the best practice is to turn off SIP ALG entirely. Other reasons you should disable SIP ALG is because it:
- Cuts SIP calls
- It’s not useful for cloud-based VoIP providers.
- Negatively impacts the reliability of desk phones and VoIP apps.
How Do I Turn Off SIP ALG on My Router?
|Router||How to disable SIP ALG|
|Asus||1. Disable the option SIP Passthrough under Advanced Settings / WAN -> NAT Passthrough.|
2. Another option to disable SIP is via Telnet.
To do it manually enter the command:
nvram get nf_sip
It should return a “1”)
nvram set nf_sip=0
|Actiontec||1. Select Advanced, click Yes to accept the warning, then click ALG’s.|
2.Ensure SIP ALG is disabled by removing the check and click Apply.
3. Select Advanced, click Yes to accept the warning, then click Remote Administration.
4. Check the box to Allow Incoming WAN ICMP Echo Requests, then click Apply.
|Arris||For Most Arris broadband gateways:|
1. Go to the gateway’s IP (192.168.0.1).
2. Use the Username: admin and Password: motorola
3. Go to Advanced, then Options.
4. Uncheck the SIP box and click Apply.
For Arris BGW210
1. Go to 192.168.1.254.
2. Authenticate without a username, and use the password located on the unit’s sticker.
3. Under the Firewall, click on Advanced Firewall.
4. Turn off the Set SIP ALG setting.
5. Turn off the Authentication Header Forwarding.
6. Turn off ESP Header Forwarding and Click Save.
|Barracuda Firewalls||1. Go to Firewall > Firewall Rules > Custom Firewall Access Rules|
2. Click the “Disabled” check box next to any rules named LAN-2-INTERNET-SIP and INTERNET-2-LAN-SIP
|Billion||1. Go to the web interface|
2. Select Configuration
3. Select NATSelect ALG
4. Disable SIP ALG
|Cisco||For RV Range|
(RV082, RV016, RV042, RV042G, RV325)
1. Go to System Summary and ensure that the firmware is up to date (1.1.1.06 or later).
2. Update firmware by going to System Management > Firmware Upgrade.
3. Go to Firewall > General.
4. Ensure that Firewall and Remote Management are checked.
5. Ensure that the following are disabled:
a. SPI (Stateful Packet Inspection)
b. DoS (Denial of Service)
c. Block WAN Request
d. SIP AL
6. Click Save.
7. Browse to IPADDRESS/f_general_hidden.htm.
8. Set UDP Timeout to 300 seconds
9. Go to Firewall > Access Rules
10. Whitelist VoiceHost IP ranges and save all changes.
For Cisco General and Enterprise-Class routers:
Execute these commands:
no ip nat service sip tcp port 5060
no ip nat service sip udp port 5060
For Cisco PIX routers:
Execute these commands:
no fixup protocol sip 5060
no fixup protocol sip udp 5060
For Cisco ASA routers:
Go to ‘Class inspection_default’ under ‘Policy-map global_policy’.
Execute this command:
no inspect sip
|D-Link||For most D-Link gateways: |
1. Click on Advanced Settings.
2.Locate the Application Level Gateway (ALG) Configuration.
3. Uncheck the SIP option and Click Save.
1. Click Advanced.
2. Click Firewall Settings
3. Uncheck Enable SPI
4. Set both UDP and TCP Endpoint Filtering to Endpoint Independent.
5. Uncheck SIP from Application Level Gateway Configuration and Click Save.
|DrayTek||For DrayTek Vigor 2760 devices: |
1. Go to the regular interface at Network -> NAT -> ALG.
2. If you don’t have a web interface, then you’ll need a telnet client.
3. You will be prompted to provide a username and password, which are the same you’d have used to access the web interface.
4. Next, type in these commands:
sys sip_alg 0
For Draytek Vigor2750 and Vigor2130, type these commands:
kmodule_ctl nf_nat_sip disable
kmodule_ctl nf_conntrack_sip disable
|EE / Huawei (E5330)||1. Go to the web interface|
2. Click Settings.
3. Enter the username (admin) and password (admin), then click Log In.
4. Click the Security dropdown.
5. Click SIP ALG Settings.
6. Uncheck the Enable SIP ALG box and Click Apply.
|Fortinet||First method: |
1. Execute these commands from the CLI interface:
config system session-helper
show system session-helper
2. Find the SIP session instance indicated by #12
3. Delete #12 or the appropriate number
4. Confirm it is deleted by executing this command:
show system session-helper
The second method is disabling the SIP ALG in a VoIP profile. If you are using the VoIP profile for SCCP, execute the following command:
config voip profil
set status disable
|Juniper||In the CLI interface: |
First, check if SIP ALG is currently enabled or disabled by running:
show security alg status | match sip
To disable, execute the following command:
set security alg sip disable
|Linksys||For Linksys Smart Wi-Fi (E-series):|
1. On the left side of the screen, click on Connectivity.
2. Click the Administration tab.
3. Under Application Layer Gateway, verify SIP is unchecked. Then Click Apply.
For Linksys BEFSR41 routers:
1. On the Admin page, Click Applications and Gaming.
2. Click Port Triggering.
3. Enter ‘TCP’ as the application.
4. Enter ‘5060’ into the Start Port and End Port for the ‘Triggering Range’ and ‘Forwarded Range’ fields.
5. Check ‘Enable’.
6. Save and Reboot.
For older Linksys models:
1. Go to the ‘Advanced’ section on the Admin page
2. Disable the IP ALG feature.
|Mikrotik||Here, SIP ALG is SIP Helper.|
1. Use the company’s winbox software.
2. Go to IP, then Firewall.
3. Click on the Service Ports tab and disable it through the GUI.
Alternatively, run this command from the terminal:
/ip firewall service-port disable sip
|Netgear||For Netgear routers with the Genie interface:|
1. Go to Advanced tab.
2. Expand the Setup menu
3. Click WAN Setup.
4. Check “Disable SIP ALG” box.
5. Port Scan, DoS Protection and STUN in VoIP settings should also be disabled.
For other Netgear routers:
1. Under the Security/Firewall, Click Advanced Settings.
2. Disable SIP ALG.
3. Locate Session Limit
4. Increase UDP timeout to 300 sec.
|SonicWall||1. Under System Setup, Go to the VoIP tab.|
2. Check ‘Enable Consistent NAT’
3. Uncheck ‘Enable SIP Transformations’.
4. Click Accept.
5. To increase UDP timeouts, go to the Firewall Settings, then Flood Protection.
6. Click on the UDP tab and modify the UDP timeout to 300 seconds.
7. Click Accept
|Technicolor / ThompsonTG588 TG589 TG582 DWA0120||1. Open Command Prompt. Type cmd and press Enter.|
2. Type telnet 192.168.1.254 (the default IP address of the router) and press Enter.
3. If you are running on Windows 7/8/8.1/10, you will need to install the telnet client.
4. The default username is “Administrator”. Leave the password empty.
5. Type connection unbind application=SIP port=5060 and press Enter.
6. Type saveall and press Enter.
7. Type exit and press Enter
SIP ALG Summary & Takeaways
Disabling SIP ALG can be the solution to several issues with VoIP calls. Unfortunately, many technicians overlook this, but it is a factor worth considering to improve your virtual phone’s performance and effectiveness.
- Many routers have SIP ALG turned on by default.
- The best practice for VoIP users is to turn off SIP ALG entirely.
- If the problems continue after disabling SIP ALG, check your firewall configuration.