SIP ALG : How it Affects VoIP Calls

What is SIP ALG?

SIP ALG consists of two different technologies and is common on many commercial firewalls, routers, or modems, often turned ON by default. Session Initialed Protocol (SIP) is the underlying service that powers all Voice over Internet Protocol (VoIP) phones, apps, and devices. SIP manages registering devices, maintaining call presence, and overseeing the call audio. Application Layer Gateway (ALG) is a Network Address Translation (NAT) tool that segments your ISP and your internal network, acting as a proxy to rewrite the destination addresses in data packets for improved connectivity. 

SIP ALG is used to try and avoid configuring Static NAT on a router. However, SIP ALG implementation varies from one router to another, often making it difficult to inter-operate a router with SIP ALG enabled with a PBX.  

How does SIP ALG Affect VoIP Calls?

SIP ALG’s purpose is to prevent some of the problems caused by router firewalls by inspecting VoIP traffic (packets) and modifying it if necessary, but in many cases, it can cause more problems than it solves. Many default router settings, such as SIP ALG can unintentionally disrupt VoIP traffic or make it impossible to initiate or receive VoIP calls altogether. SIP ALG often modifies SIP packets in unexpected ways, corrupting them and making them unreadable resulting in issues such as one-way audio (only one person can hear the other), phones not ringing when called, calls being dropped, or incoming calls going to voicemail automatically.

Although SIP ALG usually causes problems right away, it can exist on your Network for months or years before being troublesome and can possibly result at a later date from a firmware update or corruption of the file system on the routing device. 

How do I Fix SIP ALG Issues?

Although it may be easy to identify a SIP ALG issue, it’s not always easy to fix it. To correct SIP ALG issues with VoIP calling, you will need to disable SIP ALG by logging into your router. Navigate to the security settings in your router and uncheck SIP ALG, then save and reboot your router. Please note that some routers may not allow SIP ALG to be turned off, and more advanced corporate firewalls may require further adjustment, such as port forwarding. 

The following list of devices have been identified by Telesystem as being problematic. Please note the problems and corrections listed below each model.

Arris

Model: modem/gateway running DOCSIS 2.0

Problems: These devices running DOCSIS 2.0 have limited bandwidth support; if more than four simultaneous calls are connected, it discards packets, causing audio issues.

Correction: Change to a modem running DOCSIS version 3.0 as it has greater bandwidth support.

Cisco

Model: RV042

Problems: This firewall is known to intermittently allow phantom calls even when the port forwarding is locked down to a particular source address or range.

Correction: Change to a business class firewall with the necessary features.

Comcast

Model: Home version with wireless

Problems: The home version with wireless gets used by Comcast to also support their open Wi-Fi network (Hotspot) and this can lead to over utilization and voice quality issues. It is reported that it can be disabled, instructions are here  http://bgr.com/2014/06/11/how-to-disable-comcast-xfinity-wi-fi-hotspot/.  If this does not work then a call to ComCast customer service is needed.

Correction: Change to Comcast business version.

Dlink

Model: DIR-655

Problems: SIP ALG is enabled by default; the router stops passing the audio packets after 10 seconds of connection, reporting that the port is not available.

Correction: Change to a business class firewall with the necessary features.

Motorola

Model: SBG-650

Problems: Usually leads to audio problems (used by Time Warner). The problem with this one is that under high utilization it starts buffering (or even freezing) packet output and there doesn't appear to be a way to set QOS to still allow RTP, so will eventually end up with voice quality issues.

Correction: Change to a business class firewall with the necessary features.

Netgear

Model: CG3000DCR

Problems: SIP ALG is enabled by default and cannot be disabled, even by Comcast support.

Correction: Configure the modem to be in bridge mode (Comcast may need to do this) and use a business class firewall behind it to perform QOS functions.

Ubee

Model: modem/router

Problems: frequently used by Time Warner; intermittently causes loss of audio.  Per a Time Warner engineer, there is a cache that crashes and then stops RTP from passing through.

Correction: Change to a modem with the necessary features.

The following routers are known to have SIP ALG enabled by default and can be disabled following the instructions listed below.  If additional makes/models are identified, please let Telesystem know so our list can be updated.

Motorola - SBG6580 - (SurfBoard Extreme Wireless Cable Modem Gateway)

No Registration possible behind NAT as the device changes Call-ID and causes the responses to be discarded by SIP clients/ATAs

No Solution at this time (SIP ALG, called SIP Pass Through, cannot be disabled) .

Must disable NAT and put the device in bridge mode (check Motorola website for guide).

SpeedTouch - ST560 v6 (firmware >= 5.4.0.13 comes with SIP ALG enabled by default.) NAT type: symmetrical

Issues: No incoming calls. It replaces the private IP appearing in SIP headers with the public IP using a dumb text replacement. If for example the private IP appears in the "Call-ID" it replaces it too (that it's completely unnecessary).

To disable SIP ALG:

~# telnet router

connection unbind application=SIP port=5060

save all

Zyxel - 660 family comes with SIPALG enabled by default. NAT type: symmetrical

Issues: No incoming calls.

SIP protocol broken making 50% of outgoing calls impossible because the wrong values are inserted into SIP headers.

To disable SIP ALG:

~# telnet router

Menu option "24. System Maintenance".

Menu option "8. Command Interpreter Mode".

ip nat service sip active 0

Netgear - WGR614v9 Wireless-G Router, DGN2000 Wireless-N ADSL2+ Modem Router

Firmware V1.0.18_8.0.9NA

To disable SIP ALG: From Wan Setup Menu, NAT Filtering, uncheck the box next to "Disable SIP ALG"

SMC - ToDo - NAT type: No symmetrical

Issues: The ALG doesn't replace the private address in "Call-ID" header (that is correct) but it does replace 

the "call-id" value in "Refer-To" header so SIP transfer is broken.

To disable SIP ALG: ToDo no ALG related options found via web and telnet. No idea of how to disable it.

Linksys - WRV200, WRT610N. NAT type: Symmetrical

Issues: The ALG replaces the private address in "Call-ID" header (not needed at all). Some phones (as 

Linksys with latest firmware) encode the "Call-ID" value in the "Refer-To" header (by escaping the dots) 

so the private IP appearing there is not replaced with the public IP. This causes that the call transfer fails 

since the proxy/PBX/endpoint will not recognize the dialog info.

To disable SIP ALG on WRV200; no ALG related options found via web and telnet. No idea of how to disable it.

To disable SIP ALG on WRT610N: Web Interface: Administration, Management, under side heading 'Advanced Features' SIP ALG, can be disabled.

Fortinet - All models come with SIP Helper enabled by default

To disable SIP helper:

~# telnet firewall

config system settings

set sip-helper disable

set sip-nat-trace disable

end

config system session-helper

show <---- use this to find out which entry is configured for typically 12 or 13

delete 12

end                                          

For SIP Trunks

*If using Virtual IPs under objects make sure to turn OFF NAT within each IPv4 rule for VoIP. If not using Virtual IPs under objects make sure to turn ON NAT under each IPv4 rule for VoIP.

The preferred solution is to configure the SIP ALG. Policies that use the SIP ALG will not use SIP helper. Full documentation at http://docs.fortinet.com then pick FortiOS for the version on your device, then VoIP solutions: SIP.

Cisco - 800 series To disable the NAT services for SIP in IOS, just run these commands:

no ip nat service sip tcp port 5060

no ip nat service sip udp port 5060

Juniper/Netscreen - SSG Series TodisableSIPALG:

In the Web interface: Security -> ALG

Asus RT-AC66U - Firmware enables their SIP ALG by default, previously it was not possible to disable from the GUI 

interface. With the latest firmware (as of 3/15/16) there is now a way to disable via the interface, Asus refers to this as SIP Pass-through. Un-checking the box for the feature will disable it. 

Comcast DPC3939B - has ALG pre-installed and cannot be turned off.

Comcast Netgear Gateway Model CG3000 DCR -  will not allow customer to disable SIP ALG. The only true way to 

work around this is to place the CG3000 into bridge mode and then place a router/firewall behind it. *(note, we have seen sites that made this change and still encountered issues, suspicion is that it does not function in a true bridge mode. Some sites had to replace with a regular modem.)

Arris TG862G and TG862G-CT - SIP ALG is enabled and no way to disable. These are often used by Comcast as a Gateway.

AT&T Uverse Arris NVG589 - SIP ALG is enabled by default and cannot be disabled. By default, it will not support 

hosted phones, AT&T may be able to open port 5060 for SIP traffic but it is reported to us it is not possible for user-level admin to do so.

ACTIONTEC model GT784WNV - Frequently used by Verizon. The manual states that ALG is assigned automatically 

and there is no mention of a way to disable.

Verizon FiOS G1100 - This modem has SIP ALG enabled by default and Verizon has not provided a method to disable this feature. Verizon has also not released if it can be disabled by Verizon itself. Best recommendation at this time is not to use this modem. White page link  https://hosting.intermedia.net/support/kb/default.asp?id=3343