SIP-ALG, the underestimated VoIP Enemy

SIP-ALG is supposed to simplify the life of SIP devices behind NAT/PAT and it works by rewriting relevant SIP headers and SDP session information with the public IP address of the router and the port used.

When SIP traffic is encrypted using TLS, routers cannot perform any manipulation of packets so that devices using TLS are not affected. This is why all Wildix users experience less problems while connecting remote devices and an a higher level of security.

The majority of SIP operators unfortunately do not support TLS and encryption and this allows SIP-ALG enabled routers to modify the packets in transit. The problem is that often SIP-ALG applications do not work correctly or that the modifications made by SIP-ALG application resident on the router, conflict with the NAT traversal headers changes made by the SIP endpoint (usually by STUN enabled devices). In such cases the result is calls with one way or no audio at all.

The best approach is to disable SIP-ALG altogether and always use encryption whenever it is possible.

Once SIP-ALG is disabled please note that the Router / Firewall will not open automatically any port for RTP since it will stop parsing all SIP packets. Because of this make sure that either the operator supports symmetric RTP, and will reply with RTP packets to address / port they are coming from, or that a complete port forward for all the RTP ports range is enabled (ex: 10000-11000).

Follows a list of available resources to disable SIP ALG on routers:

Cisco 1800 –  https://supportforums.cisco.com/discussion/11262011/disable-sip-alg-cisco-1800-series-router no ip nat service sip udp port 5060

Fortigate:

  1. Open the Fortigate CLI from the dashboard.
  2. Enter the following commands in FortiGate’s CLI:
    1. config system settings
    2. set sip-helper disable
    3. set sip-nat-trace disable
    4. reboot the device
  3. Reopen CLI and enter the following commands – do not enter the text after //:
    1. config system session-helper
    2. show    //locate the SIP entry, usually 12, but can vary.
    3. delete 12     //or the number that you identified from the previous command.
  4. Disable RTP processing as follows:
    1. config voip profile
    2. edit default
    3. config sip
    4. set rtp disable

Technicolor, Thomson, or SpeedTouch Router –  http://docs.sipcentric.com/article/142-technicolor-or-thomson-router
Zyxel – http://www.voiptuts.com/2011/02/disable-sip-alg-on-zyxel-660-family.html

SonicWall – https://support.siteserver.com/kb/a109/sonicwall-disabling-sip-alg.aspx

Asus Routers:  

Disable the option ‘SIP Passthrough’ under ‘Advanced Settings / WAN’ -> ‘NAT Passthrough’.

If your router doesn’t have this option, SIP ALG may be disabled via Telnet. 

Billion: 

Check for a SIP ALG option in the NAT or Firewall settings.

DrayTek:

Disabling SIP ALG

Click here for additional general information about DrayTek Firewall setup. 

TP-Link

How to Disable SIP ALG on TP-Link ADSL modem router

 Linksys:

Check for a ‘SIP ALG’ option, in the ‘Administration’ tab under ‘Advanced’. 

It might also be necessary to disable SPI Firewall. 

Microtik:

Disable ‘SIP Helper‘. 

Netgear:

Look for a ‘SIP ALG’ checkbox in ‘WAN’ settings.

Port Scan and DoS Protection should also be disabled.

Disable STUN in VoIP phone’s settings. 

D-Link:

In ‘Advanced’ settings –> ‘Application Level Gateway (ALG) Configuration’ un-tick the ‘SIP’ option. 

Huawei:

The SIP ALG setting is usually found in the ‘Security’ menu. 

Adtran Netvanta: 

Disable SIP ALG under ‘Firewall/ACLs’ –> ‘ALG Settings’.

Social Sharing

Leave a Reply