Below is an explanation of SIP ALG, signs that SIP ALG may be the issue, and tricks we’ve learned over the years regarding common equipment models.
Common signs of SIP ALG NATing issues
Softphone works but physical phones will not register or stay registered. (Firewall is blocking a server IP from the hosted product)
BLF's work intermittently or not at all. (Source Ports are changing too often)
Transferring calls internally end up at the wrong location or a user can't pick up a parked call. (Source ports changing too often)
Rebooting a phone that has lost registration causes another phone to drop. (Duplicate source ports)
Outbound calls fail. (Source port changed during handshake/invite with hosted product)
Inbound calls reach the wrong destination. (Source port changed during handshake/invite with hosted product)
Call quality. Intermittent drops in audio. (Source port changes during the call. (Firewall will correct the change but milliseconds are lost during the process causing call quality issues, network jitter.)
One way or no audio but call is connected. Both intermittently or consistently. (Source port changed during the invite, after a successful handshake)
Phone rings but call can't be picked up. (Source port changed during the invite, after a successful handshake)
And many others!
SIP ALG (Application Level Gateway) is a feature in which the network device (router, access point, or any Layer 2 or Layer 3 device) manipulates the payload section of a SIP Packet to change the Private address to a public IP address. As the phone (or softphone) is not aware of the public address, all payload information would reference the device's Private Address. Network devices with ALG Enabled attempt to "correct" this by opening all SIP packets and manipulating the payload (body) of the packets by replacing private addresses with the public/NAT IP of the edge device and the NAT port. Unfortunately, some devices do not properly manipulate these packets causing them to be invalid or contain incorrect information.
When SIP ALG re-writes SIP packet headings and payloads, the process can disrupt the delivery process. This can make the device believe that it is not behind a NAT, when in fact it is. If ALG disrupts a call, it can lead to incoming call failure, phones that unregister themselves, one-way audio, hold issues, and more. For this reason, we recommend that this function be disabled.
ALG settings are typically found in the administration interface of the router, but each router’s configuration setup will differ. Check the manufacturer’s documentation to understand where to find and disable this setting in your device.
The following are general guidelines for popular makes and models. If you don't see your router or manufacturer below, consult the manufacturer's documentation.
If you've troubleshot our hosted products, and physical devices and didn't find any issues it's most likely a SIP ALG or NAT issue. We're not expected to troubleshoot the customer's firewall. But we want to make sure we're pointing the customer in the right direction and providing them with some resources and or direction. Once I've narrowed down the issue to ALG or NAT I will say something to the effect of "Based on previous experiences with our products and firewalls, it sounds like this may be a SIP ALG or NAT issue". Ask them what kind of firewall they have. If it's listed below or in one of the links at the bottom of this page, provide them with the commands and advise they pass it along to their IT Team to review.
Common Firewalls and Commands
Adtran Routers
Add the following:
no ip firewall alg sip
Arris Gateways
Go to Advanced > Options.
Disable (uncheck) SIP.
Click Apply.
Arris Gateway IP Address: 192.168.0.1
Username: admin
Password: Motorola
Arris BGW210-700 (AT&T)
Go to Firewall > Advanced Firewall
Set SIP ALG (OFF)
Authentication Header Forwarding (OFF)
ESP Header Forwarding (OFF)
Click Save
Arris Gateway IP Address: 192.168.1.254
Username: located on the device's barcode sticker
Password: located on the device's barcode sticker
ASA Routers
Go to policy-map global_policy > class inspection_default.
Enter:
no inspect sip
Cisco (non-ASA)
On Cisco devices, SIP-ALG is referred to as “SIP Fixup” and is enabled by default on both routers and Pix devices. Because this is a default setting, no indication of it being "on" or "off" is visible in the configuration.
To disable SIP Fixup, issue the following commands:
General Routers
no ip nat service sip tcp port 5060
no ip nat service sip udp port 5060
Enterprise-Class Routers
no ip nat service sip tcp port 5060
no ip nat service sip udp port 5060
All Cisco Routers
ip nat translation udp-timeout 86400
ip nat translation tcp-timeout 86400
Palo Alto SIP ALG
The link below provides instructions on how to disable SIP ALG.
Link to Palo Alto walk through
Pix Devices
no fixup protocol sip 5060
no fixup protocol sip udp 5060
D-Link Routers
From the admin interface page of the router, navigate to Advanced settings.
Under Application Level Gateway (ALG) Configuration, uncheck the SIP option.
Fortinet Routers
From CLI interface, type the following commands:
config system session-helper
show system session-helper
(Look for the session instance that refers to SIP—likely to be #12)
Delete 12
(Or number corresponding to SIP reference)
To confirm deletion, run show system session-helper again.
Ensure there is no reference to SIP or port 5060.
Linksys Routers
General Linksys Guidelines
From the ADMIN page of the router, navigate to [Administration] > [Advanced].
Look for and disable a SIP ALG option.
Linksys BEFSR41
From the ADMIN page of the router, navigate to [APPLICATIONS & GAMING] > [PORT TRIGGERING].
Enter [TCP] as the application.
Enter [5060] into the Start Port and End Port for both the Triggering Range and Forwarded Range.
Check Enable.
Save Settings.
Reboot IP phone.
Netgear Routers
From administration interface, go to Security > Firewall > Advanced settings.
Uncheck the option for SIP ALG.
Under Security > Firewall > Session Limit, increase the UDP timeout to the 300 seconds.
SonicWall Routers
One of the biggest offenders.
Uncheck the box for Use SIP Header Transformation.
Disable consistent NAT.
When setting the Global Default UDP timeout value on a SonicWall firewall, you must still fix the pre-existing rules' individual UDP timeout values. New rules will inherit the Global Default. Increase the UDP timeout to the suggested 300 seconds both globally on the firewall and the specific out-bound firewall rule (or the default rule, as the case may be).
UBEE Gateways
Go to Advanced > Options.
Disable (uncheck) SIP.
Disable (uncheck) RTSP.
Click Apply.
ZyXEL ZyWALL USG Routers
Go to Settings > Configuration > Network > ALG.
Disable SIP ALG.