FirstDigital Customer Knowledge-base

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 4 Current »

Below is an explanation of SIP ALG, signs that SIP ALG may be the issue, and tricks we’ve learned over the years regarding common equipment models.

Common signs of SIP ALG NATing issues

  • Softphone works but physical phones will not register or stay registered. (Firewall is blocking a server IP from the hosted product)

  • BLF's work intermittently or not at all. (Source Ports are changing too often)

  • Transferring calls internally end up at the wrong location or a user can't pick up a parked call. (Source ports changing too often)

  • Rebooting a phone that has lost registration causes another phone to drop. (Duplicate source ports)

  • Outbound calls fail. (Source port changed during handshake/invite with hosted product)

  • Inbound calls reach the wrong destination. (Source port changed during handshake/invite with hosted product)

  • Call quality. Intermittent drops in audio. (Source port changes during the call. (Firewall will correct the change but milliseconds are lost during the process causing call quality issues, network jitter.) 

  • One way or no audio but call is connected. Both intermittently or consistently. (Source port changed during the invite, after a successful handshake)

  • Phone rings but call can't be picked up. (Source port changed during the invite, after a successful handshake)

  • And many others!

SIP ALG (Application Level Gateway) is a feature in which the network device (router, access point, or any Layer 2 or Layer 3 device) manipulates the payload section of a SIP Packet to change the Private address to a public IP address. As the phone (or softphone) is not aware of the public address, all payload information would reference the device's Private Address. Network devices with ALG Enabled attempt to "correct" this by opening all SIP packets and manipulating the payload (body) of the packets by replacing private addresses with the public/NAT IP of the edge device and the NAT port. Unfortunately, some devices do not properly manipulate these packets causing them to be invalid or contain incorrect information.

When SIP ALG re-writes SIP packet headings and payloads, the process can disrupt the delivery process. This can make the device believe that it is not behind a NAT, when in fact it is. If ALG disrupts a call, it can lead to incoming call failure, phones that unregister themselves, one-way audio, hold issues, and more. For this reason, we recommend that this function be disabled.

ALG settings are typically found in the administration interface of the router, but each router’s configuration setup will differ. Check the manufacturer’s documentation to understand where to find and disable this setting in your device.

The following are general guidelines for popular makes and models. If you don't see your router or manufacturer below, consult the manufacturer's documentation.

If you've troubleshot our hosted products, and physical devices and didn't find any issues it's most likely a SIP ALG or NAT issue. We're not expected to troubleshoot the customer's firewall. But we want to make sure we're pointing the customer in the right direction and providing them with some resources and or direction. Once I've narrowed down the issue to ALG or NAT I will say something to the effect of "Based on previous experiences with our products and firewalls, it sounds like this may be a SIP ALG or NAT issue".  Ask them what kind of firewall they have. If it's listed below or in one of the links at the bottom of this page, provide them with the commands and advise they pass it along to their IT Team to review.

Common Firewalls and Commands

Adtran Routers

Add the following:

no ip firewall alg sip

Arris Gateways 

  1. Go to Advanced > Options.

  2. Disable (uncheck) SIP.

  3. Click Apply.

Arris Gateway IP Address: 192.168.0.1

  • Username: admin

  • Password: Motorola

Arris BGW210-700 (AT&T)

  1. Go to Firewall > Advanced Firewall

  2. Set SIP ALG (OFF)

  3. Authentication Header Forwarding (OFF)

  4. ESP Header Forwarding (OFF)

  5. Click Save

Arris Gateway IP Address:  192.168.1.254

Username: located on the device's barcode sticker
Password:  located on the device's barcode sticker

 

ASA Routers

  1. Go to policy-map global_policy > class inspection_default.

  2. Enter:

no inspect sip

 

Cisco (non-ASA)

On Cisco devices, SIP-ALG is referred to as “SIP Fixup” and is enabled by default on both routers and Pix devices. Because this is a default setting, no indication of it being "on" or "off" is visible in the configuration.

To disable SIP Fixup, issue the following commands:

General Routers

no ip nat service sip tcp port 5060

no ip nat service sip udp port 5060

Enterprise-Class Routers

no ip nat service sip tcp port 5060

no ip nat service sip udp port 5060

All Cisco Routers

ip nat translation udp-timeout 86400

ip nat translation tcp-timeout 86400

 

Palo Alto SIP ALG

The link below provides instructions on how to disable SIP ALG.

Link to Palo Alto walk through

Pix Devices

no fixup protocol sip 5060

no fixup protocol sip udp 5060

 

D-Link Routers

  1. From the admin interface page of the router, navigate to Advanced settings.

  2. Under Application Level Gateway (ALG) Configuration, uncheck the SIP option.

 

Fortinet Routers

  1. From CLI interface, type the following commands:

  • config system session-helper

  • show system session-helper

(Look for the session instance that refers to SIP—likely to be #12)

  • Delete 12

(Or number corresponding to SIP reference)

  1. To confirm deletion, run show system session-helper again.

  2. Ensure there is no reference to SIP or port 5060.

 

Linksys Routers

General Linksys Guidelines

  1. From the ADMIN page of the router, navigate to [Administration] > [Advanced].

  2. Look for and disable a SIP ALG option.

Linksys BEFSR41

  1. From the ADMIN page of the router, navigate to [APPLICATIONS & GAMING] > [PORT TRIGGERING].

  2. Enter [TCP] as the application.

  3. Enter [5060] into the Start Port and End Port for both the Triggering Range and Forwarded Range.

  4. Check Enable

  5. Save Settings.

  6. Reboot IP phone.

 

Netgear Routers

  1. From administration interface, go to Security > Firewall > Advanced settings.

  2. Uncheck the option for SIP ALG.

  3. Under Security > Firewall > Session Limit, increase the UDP timeout to the 300 seconds.

 

SonicWall Routers

One of the biggest offenders.

Link to SonicWall Guide

  1. Uncheck the box for Use SIP Header Transformation.

  2. Disable consistent NAT.

When setting the Global Default UDP timeout value on a SonicWall firewall, you must still fix the pre-existing rules' individual UDP timeout values. New rules will inherit the Global Default. Increase the UDP timeout to the suggested 300 seconds both globally on the firewall and the specific out-bound firewall rule (or the default rule, as the case may be).

 

UBEE Gateways

  1. Go to Advanced > Options.

  2. Disable (uncheck) SIP.

  3. Disable (uncheck) RTSP.

  4. Click Apply.

 

ZyXEL ZyWALL USG Routers

  1. Go to Settings > Configuration > Network > ALG.

  2. Disable SIP ALG.

  • No labels