SIP ALG: WHAT IS IT & HOW DO I DISABLE IT?

---

If you're experiencing issues with your VoIP phone service, SIP ALG could be the problem. We have good news ... this can be easily remedied.

This article will answer the following questions:

• What is SIP ALG?
• What are common signs that SIP ALG is affecting my VoIP calls?
• How do I disable SIP ALG?

WHAT IS SIP ALG?

SIP ALG stands for Application Layer Gateway. It is usually enabled by default on many commercial and residential Firewalls, Routers, or Modems. SIP ALG is a Network Address Translation tool that inspects SIP data packets and transforms or rewrites the Private IP addresses and Ports to Public IP Addresses and Ports. In theory this should not be a problem.

However, problems occur because many residential and even commercial Firewalls and Modems still do not fully understand SIP routing. This can cause some of the SIP data packets to either be delivered to the wrong destination, or not be delivered at all.

WHAT ARE SIGNS THAT SIP ALG IS AFFECTING MY CALLS?

Call issues can occur for a variety of reasons, but there are some common signs that can point to SIP ALG being the problem.

• Call Completion Issues - Difficulty making or receiving calls, or phone continues to ring after call is answered
• Dropped Calls - Calls unexpectedly end after having been successfully connected
• One Way Audio - One caller cannot hear the other
• Inconsistent Call Quality - Disruptions or delay while on a call

While these symptoms can be caused by other factors, such as a bad internet connection, if nothing else has resolved the problem disabling SIP ALG is worth a try.

HOW DO I DISABLE SIP ALG?

SIP ALG is enabled by default on most routers. Disabling it can help make sure calls go through smoothly and without interruption. To disable this setting, you will need to log into your router. Scroll down to find a list of the most standard routers, along with instructions to disable SIP ALG.

For most routers, you will need to log into your router with the admin password, locate the security settings, uncheck SIP ALG, save your changes, and reboot your router. More advanced firewalls may require additional modifications, such as port forwarding.

Router Manufacturer Steps to Disable SIP ALG

Actiontec

1. Log into the router's web interface
2. Select Advanced, then click Yes to accept the warning
3. Click ALGs and remove the check to disable SIP ALG
4. Click Apply
5. Select Advanced, then click Yes to accept the warning
6. Click Remote Administration
7. Click the checkbox to Allow Incoming WAN ICMP Echo Requests
8. Click Apply

Adtran

1. Log into the router's web interface
2. Expand the Firewall Data section
3. Go to Firewall/ACLs
4. Click ALG Settings
5. Uncheck SIP ALG
6. Click Apply
   If you are using the terminal, enter the command: no ip firewall alg sip

Arris - most Arris broadband gateways

1. Enter the gateway's IP address (192.168.0.1) into a web browser
2. Log in with Username: admin and Password: motorola
3. Select Advanced, then Options
4. Uncheck SIP
5. Click Apply

Arris BGW210

1. Enter the IP address (192.168.1.254) into a web browser
2. Authenticate using the password found on the router's sticker
3. Select Firewall, then Advanced Firewall
4. Toggle Set SIP ALG to off
5. Turn off Authentication Header Forwarding
6. Turn off ESP Header Forwarding
7. Click Save

Asus

1. Log into the router's web interface
2. Locate Advanced Settings and select WAN
3. Select NAT Passthrough
4. Set SIP Passthrough to Disable
5. Click Apply

AT&T: U-Verse Pace 5268AC Gateway
This gateway does not allow you to disable SIP ALG. Instead, configure your gateway to function as a modem, not a router. This means setting it to Bridge Mode. You will need to use another router that allows you to disable SIP ALG.

Cisco General & Enterprise-Class Routers

• no ip nat service sip tcp port 5060
• no ip nat service sip udp port 5060

Cisco PIX Routers

• no fixup protocol sip 5060
• no fixup protocol sip udp 5060

Cisco ASA Routers

1. Locate ‘Class inspection_default’ under ‘Policy-map global_policy’
2. Execute this command: no inspect sip

D-Link

1. Log into the router's web interface
2. Select Advanced Settings
3. Locate Application Level Gateway (ALG) Configuration
4. Uncheck SIP
5. Click Save

D-Link DIR-655

1. Log into the router's web interface
2. Select Advanced and then Firewall Settings
3. Uncheck Enable SIP
4. Set both UDP and TCP Endpoint Filtering to Endpoint Independent
5. Uncheck SIP from Application Level Gateway Configuration
6. Click Save

Fortinet
Use the following commands from the CLI interface:

• config system session-helper
• show system session-helper
  Find the SIP session instance, typically indicated by #12
• Delete #12 or the appropriate number
  Confirm its deletion by executing this command:
• show system session-helper

Linksys Smart Wi-Fi (E-Series)

1. Log into the router's web interface
2. Select Connectivity
3. Select Administration
4. Under Application Layer Gateway, uncheck SIP
5. Click Apply or Save

Linksys BEFSR41 Routers

1. Log into the router's web interface
2. Select Applications and Gaming on the Admin page
3. Select Port Triggering
4. Enter TCP as the Application
5. Enter 5060 as the Start Port and End Port for the Triggering Range and Forwarded Range fields
6. Check Enable
7. Click Save
8. Reboot

Linksys - Older Models

1. Log into the router's web interface
2. Select Admin, then Advanced
3. Set SIP ALG to Disable

Mikrotik
SIP ALG is referred to as SIP Helper

1. Use the company's Winbox software
2. Navigate to IP, then Firewall
3. Click on Service Ports and disable it through the GUI
   If you are using the terminal, enter the command: /ip firewall service-port disable sip

Netgear with Genie Interface

1. Log into the router's web interface
2. Select Advanced
3. Expand the Setup menu
4. Click WAN Setup
5. Check Disable SIP ALG

Netgear - Other Models

1. Log into the router's web interface
2. Under Security/Firewall, select Advanced Settings
3. Disable SIP ALG
4. Select Session Limit under Security/Firewall
5. Increate the UDP timeout to 300 sec

SonicWall

1. Log into the router's web interface
2. Under System Setup, select VoIP
3. Check Enable Consistent NAT
4. Uncheck Enable SIP Transformations
5. Click Accept
6. Navigate to Firewall Settings, then Flood Protection
7. Select UDP and change Default UDP Connection Timeout to 300 seconds
8. Click Accept
   Click here for SonicWall's support article.

TP-Link - Archer Series

1. Log into the router's web interface
2. Select Advanced
3. Expand the NAT Forwarding menu
4. Uncheck SIP ALG, RTSP ALG, and H323 ALG boxes
5. Click Save

TP-Link - Older Models

1. Use the Telnet client from the Command Prompt
2. Enter the command: ip nat service sip sw off

UBEE

1. Log into the router's web interface
2. Select Advanced, then Options
3. Uncheck SIP and RTSP checkboxes
4. Click Apply

Ubiquiti UniFi Security Gateway

1. Sign into your UniFi security gateway
2. Select Routing & Firewall
3. Select Firewall, hten Settings
4. Toggle H323 and SIP to off
5. Click Apply Changes

Ubiquiti Edge Routers (ER-x)

1. Log into the router's admin interface, typically 192.168.1.1
2. Use the Config Tree or a command line interface to disable SIP ALG

Ubiquiti Config Tree

1. Select Config Tree
2. Expand System, Conntrack, Modules, and SIP
3. Click the plus sign next to Disable
4. Click Preview
5. Click Apply

Ubiquiti Command Line Interface

1. From the Admin interface, choose CLI at the top right corner of the screen
2. From here, you can also inrease UDP timeouts
3. Enter these commands into the terminal:
   • configure
     • set system conntract modules sip disable
     • set system conntrack timeout udp stream 300
     • set system conntrack timeout udp other 300
     • commit
     • save
     • exit

Verizon FiOS G1100
This gateway does not allow you to disable SIP ALG. Instead, configure your gateway to function as a modem, not a router. You will need to use another router that allows you to disable SIP ALG.

ZyXEL ZyWALL/USG60

1. Log into the router's web interface
2. Select Configuration and expand Network settings
3. Select ALG
4. Uncheck all boxes on the right side
   • Uncheck Enable SIP ALG
   • Uncheck Enable SIP Transformations
5. Click Apply

ZyXEL C1000Z/C1100Z (CenturyLink)

1. Log into the router's web interface
2. Select Advanced Setup
3. Select SIP ALG
4. Toggle SIP ALG to Disable
5. Click Apply

ZyXEL P600

1. Telnet to the router (192.168.1.1) and enter the password (default password: 1234)
2. Type 24 and press enter
3. Type 8 and press enter
4. Enter this command: ip nat service sip active 0
5. Click Enter