SIP ALG (Application-Level Gateway) is a feature in which the network device (router, access point, or any Layer 2 or Layer 3 device) manipulates the payload section of a SIP Packet to change the Private address to be Public address. As the phone (or softphone) is not aware of the public address, all payload information would reference the device's Private Address. Network devices with ALG Enabled attempt to "correct" this by opening all SIP packets and manipulating the payload (body) of the packets by replacing private addresses with the public/NAT IP of the edge device and the NAT port. Unfortunately, some devices do not properly manipulate these packets causing them to be invalid or contain incorrect information.
When SIP ALG re-writes SIP packet headings and payloads, the process can disrupt the delivery process. This can make the device believe that it is not behind a NAT, when in fact it is. If ALG disrupts a call, it can lead to incoming call failure, phones that unregister themselves, one-way audio, hold issues, and more. For this reason, the recommendation is that this function be disabled.
To disable SIP-ALG in your Router or Firewall.
| Tip: We highly recommend consulting an IT or network professional when configuring advanced network settings or devices. |
Applies To
The below routers are covered in this guide:
Device Guidance
ALG settings are typically found in the administration interface of the router, but each router’s configuration setup will differ. Check the manufacturer’s documentation to understand where to find and disable this setting in your device.
The following are general guidelines for popular makes and models. If you don't see your router or manufacturer below, consult the manufacturer's documentation.
| Tip: It is highly recommended you have your network IT administrator, or a qualified professional configure the following in your router or firewall. |
| Note: many routers will re-enable ALG by default if the router is ever reset or powered off then back on. |
Add the following: no ip firewall alg sip
Go to Advanced > Options.
Disable (uncheck) SIP.
Click Apply.
Arris Gateway IP Address: 192.168.0.1
Go to Firewall > Advanced Firewall
Set SIP ALG (OFF)
Authentication Header Forwarding (OFF)
ESP Header Forwarding (OFF)
Click Save
Arris Gateway IP Address: 192.168.1.254
Go to policy-map global_policy > class inspection_default.
Enter: no inspect sip
On Cisco devices, SIP-ALG is referred to as SIP Fixup and is enabled by default on both routers and Pix devices. Because this is a default setting, no indication of it being "on" or "off" is visible in the configuration.
To disable SIP Fixup, issue the following commands:
no ip nat service sip tcp port 5060
no ip nat service sip udp port 5060
no ip nat service sip tcp port 5060
no ip nat service sip udp port 5060
no fixup protocol sip 5060
no fixup protocol sip udp 5060
From the admin interface page of the router, navigate to Advanced settings.
Under Application Level Gateway (ALG) Configuration, uncheck the SIP option.
From CLI interface, type the following commands:
config system session-helper
show system session-helper
(Look for the session instance that refers to SIP—likely to be #12)
Delete 12 (Or number corresponding to SIP reference)
To confirm deletion, run show system session-helper again.
Ensure there is no reference to SIP or port 5060.
From the ADMIN page of the router, navigate to [Administration] > [Advanced].
Look for and disable a SIP ALG option.
From the ADMIN page of the router, navigate to [APPLICATIONS & GAMING] > [PORT TRIGGERING].
Enter [TCP] as the application.
Enter [5060] into the Start Port and End Port for both the Triggering Range and Forwarded Range.
Check Enable.
Save Settings.
Reboot IP phone.
From administration interface, go to Security > Firewall > Advanced settings.
Uncheck the option for SIP ALG.
Under Security > Firewall > Session Limit, increase the UDP timeout to the 300 seconds.
Uncheck the box for Use SIP Header Transformation.
Disable consistent NAT.
When setting the Global Default UDP timeout value on a SonicWall firewall, you must still fix the pre-existing rules' individual UDP timeout values. New rules will inherit the Global Default. Increase the UDP timeout to the suggested 300 seconds both globally on the firewall and the specific out-bound firewall rule (or the default rule, as the case may be).
Go to Advanced > Options.
Disable (uncheck) SIP.
Disable (uncheck) RTSP.
Click Apply.
Go to Settings > Configuration > Network > ALG.
Disable SIP ALG.
| Note: If you have mixed models of phones like Poly/Aastra/Cisco/Panasonic, then you may experience difficulty in using ZyXEL ZyWALL routers. |
Disabling SIP-ALG is an essential part of configuring the firewall on your router and optimizing it for OneCloud service. Many ALGs (including Cisco's) have bugs which cause call flow and registration failures. Some ALGs (including Cisco's) intermittently miss some packets (read: do not perform fixup), or in the case of fragmented packets, do not even examine and change headers.
When SIP-ALG is enabled, CP SBCs determine the endpoints are publicly addressed and therefore do not need frequent registration refreshes to keep the firewall port open between SBC and the endpoint. In this case, the firewall can close the port between OneCloud and the device endpoint, causing an inability to receive incoming calls. The most common issues that result from enabled SIP-ALG when using Virtual Office applications include: