SIP ALG: What Is It & Why VoIP Users Should Disable It

October 1, 2020 10 min read

Cameron Johnson

Cameron Johnson

Disable SIP ALG Tutorial - Updated

So, you set up your VoIP phone system, but you’re experiencing dropped calls, no incoming calls, or your phone keeps ringing after you pick up.
The good news is that you will be able to instantly resolve your Voice over IP issues once you disable SIP ALG.
In this updated guide, we’ll cover why SIP ALG must be turned off, and we’ll include tips to optimize your network for VoIP phone service.
This guide is perfect for novices as well as advanced users. Let’s get started!

What is SIP ALG?

SIP ALG is a feature found in most networked routers, operating as a function of its firewall. It consists of two different technologies, explained below:

  • Session Initiation Protocol (SIP) – The underlying service that powers all Voice over Internet Protocol (VoIP) phones, apps, and devices. SIP manages registering devices, maintaining call presence, and overseeing the call audio. Read more about SIP in our deep dive here.
  • Application Layer Gateway (ALG) – Routers segments your ISP and your internal network through a process known as Network Address Translation (NAT). An ALG acts as a proxy to rewrite the destination addresses in data packets for improved connectivity.

If you need a little more context, watch our 2-minute video below explaining SIP ALG and why you may want to disable it.

The problem with SIP ALG is the packet rewriting aspect of it. SIP ALG can be useful to mitigate multiple NATs, but it doesn’t help the vast majority. Let’s take a more in-depth look at what’s happening with these data packets.

Examples of a modified packet (SIP ALG).
SIP ALG modifies the destination addresses of VoIP packets causing reliability issues.

The diagram above shows that the Application Layer Gateway changes the destination public IPs in SIP packets. Certain commercial routers are smart enough to inspect the SIP messages themselves to leave private IP addresses alone.
Today’s office PBX systems, conference calls, and even audio/video conferencing rely on SIP. Signaling protocols like SDP, RTP, and RTSP all face the same issues because they are a subset of SIP packets.
Related: An Introduction to SIP Protocol: Definition, Features, & More

Signs SIP ALG affects VoIP calls

There are a few categories of symptoms SIP ALG could affect VoIP phone. It’s not always apparent, especially since these issues often happen silently without users knowing.

  • One-way audio (only one person can hear the other)
  • Phones do not ring when called
  • Calls drop after being connected
  • Calls going straight to voicemail for no known reason

What’s happening is that some VoIP traffic is lost between the phone and the VoIP service provider. This interruption is happening because of router firewalls. This traffic is essential to maintaining the phone’s availability and selecting the proper audio codecs.
Many routers default SIP ALG to on within their device’s firmware. Thanks to easy and simple web interfaces, simply check or uncheck a box. Pictured below is an example:

Example Showing How to Turn Off SIP Application Layer Gateway (TP-Link)
Disabling SIP ALG is often as simple as unchecking a box. (TP-Link Archer A9).

How do I turn off SIP ALG?

To disable SIP ALG, you will need to log into your router. Your router can also function as a modem for some broadband gateways. Popular brands of routers include Cisco, Linksys, Netgear, D-Link, Asus, and TP-Link.
We’ve compiled a list of the top routers and included links to disable the Application Layer Gateway, which can interfere with VoIP calls.
In most cases, you will need to sign in to your router with the admin password. Look under its security settings, uncheck SIP ALG, save and reboot your router. More advanced corporate firewalls may require further adjustment, such as port forwarding.

Router ManufacturerSteps to Disable SIP ALG
Actiontec
  1. Select Advanced, click Yes to accept the warning, then click ALG’s.
  2. Ensure SIP ALG is disabled by removing the check.
  3. Click Apply.
  4. Select Advanced, click Yes to accept the warning, then click Remote Administration.
  5. Click the checkbox to Allow Incoming WAN ICMP Echo Requests (for traceroute and ping), then click Apply.
  6. For more info, check out this support article.
Adtran
  1. Under Firewall, go to Firewall / ACLs.
  2. Click on ALG Settings.
  3. Uncheck the box labeled SIP ALG
  4. Click Apply.

If you are using the terminal, issue the following command:
no ip firewall alg sip

ArrisMost Arris broadband gateways:

  1. Navigate to the gateway’s IP (192.168.0.1).
    Username: admin Password: motorola
  2. Navigate to Advanced, then Options.
  3. Uncheck the SIP box.
  4. Click Apply.

Arris BGW210

  1. Navigate to 192.168.1.254.
    Authenticate without a username, and use the password located on the unit’s sticker.
  2. Under the Firewall section, click on Advanced Firewall.
  3. Change the Set SIP ALG setting to off.
  4. Turn off the Authentication Header Forwarding.
  5. Turn off ESP Header Forwarding.
  6. Click Save.
Asus
  1. Under the Advanced Settings section, click WAN.
  2. Click the NAT Passthrough tab.
  3. Change the SIP Passthrough setting to “Disable.”
  4. Click Apply.
AT&T

U-Verse Pace 5268AC Gateway
This broadband gateway does not support disabling SIP ALG. We recommend configuring your gateway to function only as a modem, not a router (Bridge Mode). You will need to use another router that supports disabling SIP ALG.

Cisco

Cisco General and Enterprise-Class routers:
no ip nat service sip tcp port 5060
no ip nat service sip udp port 5060

Cisco PIX routers:
no fixup protocol sip 5060
no fixup protocol sip udp 5060

Cisco ASA routers:
Locate ‘Class inspection_default’ under ‘Policy-map global_policy’. Execute this command: no inspect sip

D-Link
  1. Click on Advanced Settings.
  2. Locate the Application Level Gateway (ALG) Configuration.
  3. Uncheck the SIP option.
  4. Click Save.

DIR-655:

  1. Click Advanced, located along the top.
  2. Click Firewall Settings on the left side of the screen.
  3. Uncheck Enable SPI
  4. Set both UDP and TCP Endpoint Filtering to Endpoint Independent.
  5. Uncheck SIP from Application Level Gateway Configuration.
  6. Click Save.
Fortinet
  1. Use the following commands from the CLI interface:
    config system session-helper
    show system session-helper
  2. Find the SIP session instance, typically indicated by #12
  3. Delete #12 or the appropriate number
  4. Confirm its deletion by executing this command:
    show system session-helper. For more guidance, follow this article.
Linksys

Linksys Smart Wi-Fi (E-series):

  1. On the left side of the screen, click on Connectivity.
  2. Click the Administration tab.
  3. Under Application Layer Gateway, verify SIP is unchecked.
  4. Click Apply or Save.

Older Linksys models:

  1. Go to the ‘Advanced’ section on the Admin page
  2. Disable the SIP ALG feature.

Linksys BEFSR41 routers:

  1. Click on Applications and Gaming on the Admin page.
  2. Click on Port Triggering. 
  3. Type in ‘TCP’ as the application.
  4. Type in ‘5060’ into the Start Port and End Port for the ‘Triggering Range’ and ‘Forwarded Range’ fields.
  5. Check ‘Enable’.
  6. Click on Save and Reboot.
MikrotikFor Mikrotik routers, SIP ALG is known as SIP Helper.

  1. Use the company’s winbox software.
  2. Navigate to IP, then Firewall.
  3. Click on the Service Ports tab and disable it through the GUI.
  4. You may also run this command from the terminal:
    /ip firewall service-port disable sip
Netgear

For Netgear routers with the Genie interface:

  1. Select the Advanced tab at the top.
  2. Expand the Setup menu on the left side of the screen.
  3. Click WAN Setup.
  4. Check the box labeled Disable SIP ALG.

Other Netgear routers:

  1. Under the Security/Firewall, click on Advanced Settings.
  2. Disable SIP ALG.
  3. Locate Session Limit under Security/Firewall.
  4. Increase the UDP timeout to 300 sec.
SonicWall
  1. Under System Setup on the left side of the screen, click on VoIP.
  2. Check ‘Enable Consistent NAT’
  3. Uncheck ‘Enable SIP Transformations’.
  4. Click Accept.
  5. To increase UDP timeouts, navigate to the Firewall Settings, then Flood Protection.
  6. Click on the UDP tab and modify the default UDP connection timeout to 300 seconds.
  7. Click the Accept button to save the changes. For more information, consult this support article.
TP-Link

Newer TP-Link routers (Archer series):

  1. Click on the Advanced Tab.
  2. Expand the NAT Forwarding menu on the left side of the screen.
  3. Uncheck SIP ALG, RTSP ALG, and H323 ALG checkboxes.
  4. Click Save.

Older TP-Link routers:

  1. Use the Telnet client from the Command Prompt.
  2. Apply the following command:
    ip nat service sip sw off
UBEE
  1. Go to Advanced, then Options.
  2. Uncheck the SIP and the RTSP checkboxes.
  3. Click Apply.
Ubiquiti

UniFi Security Gateway

  1. Sign in to your UniFi security gateway.
  2. Click on Routing & Firewall along the left side.
  3. Click the Firewall tab at the top and click Settings from the sub-menu.
  4. Toggle H.323 and SIP to off.
  5. Click the Apply Changes button.

EdgeRouters (ER-x)

  1. Access the router’s administrative interface, typically at 192.168.1.1.
  2. Use the Config Tree or a command-line interface to disable SIP ALG.

Config Tree:

  1. Select config tree in the top right-hand corner.
  2. Expand system, conntrack, modules, and sip.
  3. Click the plus sign next to disable.
  4. Click the Preview option.
  5. Click Apply.

Command Line Interface:

  1. From the administrative interface, choose CLI located at the top right corner of the screen.
  2. From here, we can also increase UDP timeouts as well.
  3. Enter these commands into the terminal:
    configure
    set system conntrack modules sip disable
    set system conntrack timeout udp stream 300
    set system conntrack timeout udp other 300
    commit
    save
    exit
Verizon FiOS

G1100

This broadband gateway does not support disabling SIP ALG. We recommend configuring your gateway to function only as a modem, not a router. You will need to use another router that supports disabling SIP ALG.

ZyXEL

ZyXEL ZyWALL/USG60:

  1. Click on Configuration and expand the Network settings.
  2. Click ALG along the left side.
  3. Uncheck all the checkboxes on the right side:
    1. Uncheck Enable SIP ALG.
    2. Uncheck Enable SIP Transformations.
  4. Click Apply.
  5. For more information, consult this help article.

ZyXEL C1000Z/C1100Z (CenturyLink):

  1. Click on Advanced Setup.
  2. Click on SIP ALG along the left side.
  3. Toggle the SIP ALG setting to Disable.
  4. Click Apply.

ZyXEL P600:

  1. Telnet to the router (192.168.1.1) and enter the password.
  2. The default password is 1234. Type “24” and press enter.
  3. Then “8” and press enter.
  4. Provide this command:
    ip nat service sip active 0
  5. When done, press Enter.
VoIP provider not keeping up?
Try Nextiva and see how reliable VoIP can be.

Why disable SIP ALG?

Conventional wisdom would suggest that an Application-Level Gateway is supposed to be enabled. After all, many consumer and commercial router settings even default SIP ALG to on.
As a feature in most broadband routers, SIP ALG was introduced with good intentions in response to the limitations of Network Address Translation. Unfortunately, it interferes with the built-in functionality of IP and signaling protocols. It’s no longer necessary with today’s VoIP applications.
Since ALGs exist at the Application Layer of the OSI Model, it doesn’t consider the datagrams within transport protocols like UDP or TCP. VoIP signaling protocols solve these common issues by including the public and private IP addresses in every packet.
Some routers try to improve security by terminating open connections in the firewall. Dubbed a “firewall pinhole,” it means that traffic can work momentarily, but when a SIP proxy drops packets, it can affect VoIP calls after you establish them.

Visualizing where SIP ALG in a Network Diagram.
Most routers include a built-in Application Layer Gateway that interferes with VoIP calls.

You should disable SIP ALG because it:

  • Interrupts SIP traffic like calls and conferencing apps.
  • Affects the perceived reliability of desk phones and VoIP apps.
  • Isn’t needed when using cloud-based VoIP providers.

For almost all VoIP users with a virtual phone service, the best practice is to turn off SIP ALG entirely.
The only reason why you would enable SIP ALG is if your router manufacturer or VoIP provider has instructed you. Given the prominence of VoIP and Application Layer Gateways, they will provide proper settings to work with your VoIP provider.
Related: 10 VoIP Problems Anyone Can Fix (+ Best Practices)

Best practices for reliable VoIP performance

Voice over Internet Protocol (VoIP) demands a few basics for optimal phone calls. In short, that’s bandwidth, latency, and stability. Follow these tips to improve inbound and outbound call quality and connectivity for your team.

1) Choose a high-bandwidth ISP with the proper hardware.

As a part of a robust VoIP architecture, you’ll want plenty of headroom for network utilization. Using gigabit switches and routers will eliminate any internal bottlenecks. Remember that you likely have many computers, phones, and TVs that also consume bandwidth. Aim for only using 80% of your allotted bandwidth.

2) Use wired Ethernet connections whenever possible.

Wireless connections are susceptible to interference that can cause packet loss and jitter. Latency and packet loss aren’t usually noticeable through casual browsing, but it can affect VoIP calls, especially on VoIP desk phones. When using Wi-Fi, ensure you have a strong signal and have disabled SIP ALG in your wireless router.

3) Lengthen your UDP timeouts.

Most VoIP phone systems connect using User Datagram Protocol (UDP) for higher throughput and less connection overhead. However, this can come at a cost in reliability. Set your UDP timeouts to 150 seconds. If you find that your network routes get congested often, consider switching your VoIP setup over to Transmission Control Protocol (TCP). This tweak will increase your VoIP reliability. Consult with your VoIP service provider for further guidance.

4) Set up Virtual LAN (VLAN) tagging for SIP Devices.

After approximately 15 users, we recommend implementing network prioritization using Quality of Service (QoS). VLAN tagging lets you prioritize VoIP data above non-essential traffic. Doing so will minimize packet loss and enhance your overall VoIP security.

5) Keep up on firmware updates.

Take an active approach in checking for your router manufacturer’s firmware patches. These may sometimes revert settings, but they will patch security and performance issues. You may need to consult with the vendor to download updates from its FTP or push software images via the Command Line Interface (CLI) for commercial routers.

Related: VoIP Architecture Guide [+ Network Diagrams]

Selecting the right VoIP phone service

Disabling SIP ALG can be the solution to many problems when making calls with VoIP. Many technicians often overlook this simple fix. It’s undoubtedly worth adjusting to enhance the overall reliability and performance of your virtual phone service.
You’re likely reading this article because your phone system isn’t working right. It happens to the best of us. Instead of trying to fix this on your own, you could talk with one of our VoIP experts.
Nextiva has been providing companies a better choice for commercial phone service for over 15 years. Unlike telephone and cable companies, We cater only to businesses. Arguably, we deliver the best live support, which is why we call it Amazing Service®.

Hang up on VoIP hassles.
Get superior reliability with Nextiva.

Cameron Johnson

ABOUT THE AUTHOR

Cameron Johnson

Cameron Johnson is a market segment leader at Nextiva. Along with his well-researched contributions to the Nextiva Blog, Cameron has written for a variety of publications including Inc. and Business.com. Cameron was recently recognized as Utah's Marketer of the Year.

Posts from this author
Call badge icon