SIP-AlG Information
NOTE: WE HIGHLY RECOMMEND CONSULTING AN IT OR NETWORK PROFESSIONAL WHEN CONFIGURING ADVANCED NETWORK SETTINGS OR DEVICES.
IT'S IMPORTANT TO HAVE THE CORRECT SIP-ALG SETTING
Overview
Disabling SIP-ALG is an essential part of configuring the firewall on your router and optimizing it for SIP Services. Many ALGs (including Cisco's) have bugs which cause call flow and registration failures. Some ALGs (including Cisco's) intermittently miss some packets (read: do not perform fixup), or in the case of fragmented packets, do not even examine and change headers.
When SIP-ALG is enabled, many providers' SBCs determine the endpoints are publicly addressed and therefore do not need frequent registration refreshes to keep the firewall port open between SBC and the endpoint. In this case, the firewall can close the port between SIP Carriers and the device endpoint, causing an inability to receive incoming calls.
The most common issues that result from enabled SIP-ALG when using SIP Hosted Phones include:
Park/Hold features fail along with the ? symbol as the button status.
An inability to receive incoming calls.
Phones not able to register or stay registered
Additional SIP-ALG information and settings can be found at:
http://www.voip-info.org/wiki/view/Routers+SIP+ALG.
Device Guidance
It is highly recommended you have your network or IT administrator or a qualified professional configure the following in your company's router or firewall. Making ADMIN level changes can have far reaching consequences, so one should understand the risks when modifying settings that affect your company's network.
ALG settings are typically found in the administration interface of the router, but each router’s configuration setup will differ. Check the manufacturer’s documentation to understand where to find and disable this setting in your device. (Please note that many routers will re-enable ALG by default if the router is ever reset or powered off then back on.)
The following are general guidelines for popular makes and models. If you don't see your router or manufacturer below, consult the manufacturer's documentation. This is only a guide and some suggested helps based on other customer feedback. Refer to your manufacturer documentation for the best solution and if these apply to your specific model and deployment configuration.
Adtran Routers
Add the following:
no ip firewall alg sip
Adtran Netvanta
Log in to the router's web interface at your router's local IP address.
Expand the Data section on the left side of the admin portal.
Select Firewall / ACLs from the Firewall section.
Click the ALG Settings tab.
Disable the SIP ALG option by unchecking the box.
Click Apply.
Arris Gateways
Go to Advanced > Options.
Disable (uncheck) SIP.
Click Apply.
Arris Gateway IP Address: 192.168.0.1
Username: admin
Password: motorola
ASA Routers
Go to policy-map global_policy > class inspection_default.
Enter:
no inspect sip
ASUS
Log into your router's web interface, then select WAN > NAT Passthrough
Locate the SIP Passthrough option and choose Disable. Click Apply and, if prompted, restart your router.
Cisco (non-ASA)
On Cisco devices, SIP-ALG is referred to as SIP Fixup and is enabled by default on both routers and Pix devices. Because this is a default setting, no indication of it being "on" or "off" is visible in the configuration.
To disable SIP Fixup, issue the following commands:
General Routers
no ip nat service sip tcp port 5060
no ip nat service sip udp port 5060
Enterprise-Class Routers
no ip nat service sip tcp port 5060
no ip nat service sip udp port 5060
Pix Devices
no fixup protocol sip 5060
no fixup protocol sip udp 5060
D-Link Routers
From the admin interface page of the router, navigate to Advanced settings.
Under Application Level Gateway (ALG) Configuration, uncheck the SIP option.
Draytek
Login to your router's web interface and select NAT > ALG from the menu on the left.
Uncheck Enable ALG, then select OK to confirm your changes. If prompted, restart your router to finalise the change.
Fortinet Routers
From CLI interface, type the following commands:
config system session-helper
show system session-helper
(Look for the session instance that refers to SIP—likely to be #12)
Delete 12
(Or number corresponding to SIP reference)
To confirm deletion, run show system session-helper again.
Ensure there is no reference to SIP or port 5060.
Linksys Routers
General Linksys Guidelines
From the ADMIN page of the router, navigate to [Administration] > [Advanced].
Look for and disable a SIP ALG option.
Linksys BEFSR41
From the ADMIN page of the router, navigate to [APPLICATIONS & GAMING] > [PORT TRIGGERING].
Enter [TCP] as the application.
Enter [5060] into the Start Port and End Port for both the Triggering Range and Forwarded Range.
Check Enable.
Save Settings.
Reboot IP phone.
Mikrotik Router
Disabling SIP ALG:
In Winbox or Webfig, navigate to IP > Firewall > Service Ports
Locate the SIP line and disable it
Restart the router
Restart the phones
Netgear Routers
From administration interface, go to Security > Firewall > Advanced settings.
Uncheck the option for SIP ALG.
Under Security > Firewall > Session Limit, increase the UDP timeout to the 300 seconds.
SonicWall Routers
Uncheck the box for Use SIP Header Transformation.
Enable consistent NAT. (For Hosted Phone deployments only)
When setting the Global Default UDP timeout value on a SonicWall firewall, you must still fix the pre-existing rules' individual UDP timeout values. New rules will inherit the Global Default. Increase the UDP timeout to the suggested 300 seconds both globally on the firewall and the specific out-bound firewall rule (or the default rule, as the case may be).
Sophos
Login to the Sophos CLI using Telnet or SSH. You can also access the CLI from admin > Console in the upper right corner of the Admin Console screen.
Enter option 4 to connect to the Device Console
Execute the following command:
console> system system_modules sip unload
UBEE Gateways
Go to Advanced > Options.
Disable (uncheck) SIP.
Disable (uncheck) RTSP.
Click Apply.
TPLink
From the router's menu, select Network > ALG Settings. On some firmware versions, this has moved to Advanced > NAT Forwarding > ALG
Under Application Layer Gateway (ALG), find SIP ALG and check Disable. Click save and, if prompted, restart your router.
Ubiquiti EdgeRouter
Log in to your router's management interface, then select System -> Conntrack -> Modules -> Sip -> Disable
ZyXEL ZyWALL USG Routers
Go to Settings > Configuration > Network > ALG.
Disable SIP ALG.
Connectivity is a business strategy. Dobson can help.
Call us at 855.5.DOBSON, or click the link to get started.