SIP-AlG Information

NOTE: WE HIGHLY RECOMMEND CONSULTING AN IT OR NETWORK PROFESSIONAL WHEN CONFIGURING ADVANCED NETWORK SETTINGS OR DEVICES.

IT'S IMPORTANT TO HAVE THE CORRECT SIP-ALG SETTING

Overview

Disabling SIP-ALG is an essential part of configuring the firewall on your router and optimizing it for SIP Services.  Many ALGs (including Cisco's) have bugs which cause call flow and registration failures. Some ALGs (including Cisco's) intermittently miss some packets (read: do not perform fixup), or in the case of fragmented packets, do not even examine and change headers.

When SIP-ALG is enabled, many providers' SBCs determine the endpoints are publicly addressed and therefore do not need frequent registration refreshes to keep the firewall port open between SBC and the endpoint. In this case, the firewall can close the port between SIP Carriers and the device endpoint, causing an inability to receive incoming calls.

The most common issues that result from enabled SIP-ALG when using SIP Hosted Phones include:

  • Park/Hold features fail along with the ? symbol as the button status.

  • An inability to receive incoming calls.

  • Phones not able to register or stay registered

Additional SIP-ALG information and settings can be found at:

 http://www.voip-info.org/wiki/view/Routers+SIP+ALG.

Device Guidance

It is highly recommended you have your network or IT administrator or a qualified professional configure the following in your company's router or firewall.  Making ADMIN level changes can have far reaching consequences, so one should understand the risks when modifying settings that affect your company's network.

ALG settings are typically found in the administration interface of the router, but each router’s configuration setup will differ. Check the manufacturer’s documentation to understand where to find and disable this setting in your device. (Please note that many routers will re-enable ALG by default if the router is ever reset or powered off then back on.)

The following are general guidelines for popular makes and models. If you don't see your router or manufacturer below, consult the manufacturer's documentation.   This is only a guide and some suggested helps based on other customer feedback.  Refer to your manufacturer documentation for the best solution and if these apply to your specific model and deployment configuration.

Adtran Routers

Add the following:

no ip firewall alg sip

Adtran Netvanta

  1. Log in to the router's web interface at your router's local IP address.

  2. Expand the Data section on the left side of the admin portal.

  3. Select Firewall / ACLs from the Firewall section.

  4. Click the ALG Settings tab.

  5. Disable the SIP ALG option by unchecking the box.

  6. Click Apply.

Arris Gateways 

  1. Go to Advanced > Options.

  2. Disable (uncheck) SIP.

  3. Click Apply.

Arris Gateway IP Address: 192.168.0.1

  • Username: admin

  • Password: motorola

ASA Routers

  1. Go to policy-map global_policy > class inspection_default.

  2. Enter:

no inspect sip

ASUS

Log into your router's web interface, then select WAN > NAT Passthrough

Locate the SIP Passthrough option and choose Disable. Click Apply and, if prompted, restart your router.

Cisco (non-ASA)

On Cisco devices, SIP-ALG is referred to as SIP Fixup and is enabled by default on both routers and Pix devices. Because this is a default setting, no indication of it being "on" or "off" is visible in the configuration.

To disable SIP Fixup, issue the following commands:

General Routers

no ip nat service sip tcp port 5060
no ip nat service sip udp port 5060

Enterprise-Class Routers

no ip nat service sip tcp port 5060
no ip nat service sip udp port 5060

Pix Devices

no fixup protocol sip 5060
no fixup protocol sip udp 5060

D-Link Routers

  1. From the admin interface page of the router, navigate to Advanced settings.

  2. Under Application Level Gateway (ALG) Configuration, uncheck the SIP option.

Draytek

Login to your router's web interface and select NAT > ALG from the menu on the left.

Uncheck Enable ALG, then select OK to confirm your changes. If prompted, restart your router to finalise the change.

Fortinet Routers

  1. From CLI interface, type the following commands:

  • config system session-helper 
  • show system session-helper 

    (Look for the session instance that refers to SIP—likely to be #12)

  • Delete 12 

    (Or number corresponding to SIP reference)

  1. To confirm deletion, run show system session-helper again.

  2. Ensure there is no reference to SIP or port 5060.

Linksys Routers

General Linksys Guidelines

  1. From the ADMIN page of the router, navigate to [Administration] > [Advanced].

  2. Look for and disable a SIP ALG option.

Linksys BEFSR41

  1. From the ADMIN page of the router, navigate to [APPLICATIONS & GAMING] > [PORT TRIGGERING].

  2. Enter [TCP] as the application.

  3. Enter [5060] into the Start Port and End Port for both the Triggering Range and Forwarded Range.

  4. Check Enable.

  5. Save Settings.

  6. Reboot IP phone.

Mikrotik Router

Disabling SIP ALG:

  1. In Winbox or Webfig, navigate to IP > Firewall > Service Ports

  2. Locate the SIP line and disable it

  3. Restart the router

  4. Restart the phones

Netgear Routers

  1. From administration interface, go to Security > Firewall > Advanced settings.

  2. Uncheck the option for SIP ALG.

  3. Under Security > Firewall > Session Limit, increase the UDP timeout to the 300 seconds.

 SonicWall Routers

  1. Uncheck the box for Use SIP Header Transformation.

  2. Enable consistent NAT. (For Hosted Phone deployments only)

When setting the Global Default UDP timeout value on a SonicWall firewall, you must still fix the pre-existing rules' individual UDP timeout values. New rules will inherit the Global Default. Increase the UDP timeout to the suggested 300 seconds both globally on the firewall and the specific out-bound firewall rule (or the default rule, as the case may be).

Sophos

Login to the Sophos CLI using Telnet or SSH. You can also access the CLI from admin > Console in the upper right corner of the Admin Console screen.

Enter option 4 to connect to the Device Console

Execute the following command: 

console> system system_modules sip unload

UBEE Gateways

  1. Go to Advanced > Options.

  2. Disable (uncheck) SIP.

  3. Disable (uncheck) RTSP.

  4. Click Apply.

TPLink

From the router's menu, select Network > ALG Settings. On some firmware versions, this has moved to Advanced > NAT Forwarding > ALG

Under Application Layer Gateway (ALG), find SIP ALG and check Disable. Click save and, if prompted, restart your router.

Ubiquiti EdgeRouter

Log in to your router's management interface, then select System -> Conntrack -> Modules -> Sip -> Disable

 ZyXEL ZyWALL USG Routers

  1. Go to Settings > Configuration > Network > ALG.

  2. Disable SIP ALG.

 

Connectivity is a business strategy. Dobson can help.

Call us at 855.5.DOBSON, or click the link to get started.