How to Disable SIP ALG on Popular Routers

How to Disable SIP ALG on Popular Routers

Info
SIP ALG (Application Layer Gateway) is a mechanism found in most routers that rewrites packets transmitted across the device. Certain protocols are processed by the application layer gateway (ALG) and rewritten to allow better flow through a firewall or when NAT (Network Address Translation) is employed. The SIP protocol is one of several protocols managed by this system.

One of the most common issues with VoIP solutions relates to audio transmission and presence of a firewall and/or NAT traversal being configured. In many cases, a properly configured system may still have audio issues when transmitting or receiving calls where only one party is heard during a call. Implementing the necessary changes to disable SIP ALG can oftentimes resolve these issues.

SIP ALG

What is SIP ALG and Why is it Bad?

The problem with SIP ALG is the fact that most times, packet rewriting causes undesirable operation. The intent of the technology was to assist the packet flow of SIP and other packets and help solve NAT related problems. In this case, the ALG's function is to perform a stateful packet level inspection (SPI) of traffic coming through it. SIP messages would then be re-written by SIP ALG to allow the correct communication of signaling and voice traffic between endpoints and effective NAT traversal. The frequent result in lower end routers is however a hindrance for data transmission due to poor implementations of ALG that break SIP. Most commonly, the issues many experience relate to one-way or no audio, depending on who initiates the call.
Idea
In most cases, it is recommended that SIP ALG, SPI and SIP transformations are disabled.
With most setups, it is best to disable this feature as this service usually does more harm than good. The following section will help to assist most with disabling this feature on your router: 

Actiontec
1. Select Advanced, click Yes to accept the warning, then click ALG’s.
2. Ensure SIP ALG is disabled by removing the check.
3. Click Apply.
4. Select Advanced, click Yes to accept the warning, then click Remote Administration.
5. Click the checkbox to Allow Incoming WAN ICMP Echo Requests (for traceroute and ping), then click Apply.
Adtran
1. Under Firewall, go to Firewall / ACLs
2. Click on ALG Settings.
3. Uncheck the box labeled SIP ALG
4. Click Apply.

If you are using the terminal, issue the following command:
no ip firewall alg sip
Arris
Most Arris broadband gateways:
1. Navigate to the gateway’s IP (192.168.0.1).
2. Username: admin Password: motorola
3. Navigate to Advanced, then Options.
4. Uncheck the SIP box.
5. Click Apply.

Arris BGW210
1. Navigate to 192.168.1.254.
2. Authenticate without a username, and use the password located on the unit’s sticker.
3. Under the Firewall section, click on Advanced Firewall.
4. Change the Set SIP ALG setting to off.
5. Turn off the Authentication Header Forwarding.
6. Turn off ESP Header Forwarding
7. Click Save.
Asus
1. Under the Advanced Settings section, click WAN.
2. Click the NAT Passthrough tab.
3. Change the SIP Passthrough setting to “Disable.”
4. Click Apply.
AT&T
U-Verse Pace 5268AC Gateway
This broadband gateway does not support disabling SIP ALG. We recommend configuring your gateway to function only as a modem, not a router (Bridge Mode). You will need to use another router that supports disabling SIP ALG.
Cisco
Cisco General and Enterprise-Class routers:
no ip nat service sip tcp port 5060
no ip nat service sip udp port 5060

Cisco PIX routers:
no fixup protocol sip 5060
no fixup protocol sip udp 5060

Cisco ASA routers:
Locate ‘Class inspection_default’ under ‘Policy-map global_policy’. Execute this command: no inspect sip
D-Link

1. Click on Advanced Settings.
2. Locate the Application Level Gateway (ALG) Configuration.
3. Uncheck the SIP option.
4. Click Save.

DIR-655:
1. Click Advanced, located along the top.
2. Click Firewall Settings on the left side of the screen.
3. Uncheck Enable SPI
4. Set both UDP and TCP Endpoint Filtering to Endpoint Independent.
5. Uncheck SIP from Application Level Gateway Configuration.
6. Click Save.
Fortinet
Use the following commands from the CLI interface:
config system session-helper
show system session-helper

Find the SIP session instance, typically indicated by #12
Delete #12 or the appropriate number

Confirm its deletion by executing this command:
show system session-helper.

For more guidance, follow this article.
Linksys
Linksys Smart Wi-Fi (E-series):
1. On the left side of the screen, click on Connectivity.
2. Click the Administration tab.
3. Under Application Layer Gateway, verify SIP is unchecked.
4. Click Apply or Save.

Older Linksys models:
1. Go to the ‘Advanced’ section on the Admin page
2. Disable the SIP ALG feature.

Linksys BEFSR41 routers:
1. Click on Applications and Gaming on the Admin page.
2. Click on Port Triggering. 
3. Type in ‘TCP’ as the application.
4. Type in ‘5060’ into the Start Port and End Port for the ‘Triggering Range’ and ‘Forwarded Range’ fields.
5. Check ‘Enable’.
6. Click on Save and Reboot.
Mikrotik
For Mikrotik routers, SIP ALG is known as SIP Helper.
1. Use the company’s winbox software.
2. Navigate to IP, then Firewall.
3. Click on the Service Ports tab and disable it through the GUI.
4. You may also run this command from the terminal:
/ip firewall service-port disable sip
Netgear
For Netgear routers with the Genie interface:
1. Select the Advanced tab at the top.
2. Expand the Setup menu on the left side of the screen.
3. Click WAN Setup.
4. Check the box labeled Disable SIP ALG.

Other Netgear routers:
1. Under the Security/Firewall, click on Advanced Settings.
2. Disable SIP ALG.
3. Locate Session Limit under Security/Firewall.
4. Increase the UDP timeout to 300 sec.
SonicWall

1. Under System Setup on the left side of the screen, click on VoIP.
2. Check ‘Enable Consistent NAT’
3. Uncheck ‘Enable SIP Transformations’.
4. Click Accept.
5. To increase UDP timeouts, navigate to the Firewall Settings, then Flood Protection.
6. Click on the UDP tab and modify the default UDP connection timeout to 300 seconds.
7. Click the Accept button to save the changes. For more information, consult this support article.
TP-Link
Newer TP-Link routers (Archer series):
1. Click on the Advanced Tab.
2. Expand the NAT Forwarding menu on the left side of the screen.
3. Uncheck SIP ALG, RTSP ALG, and H323 ALG checkboxes.
4. Click Save.

Older TP-Link routers:
1. Use the Telnet client from the Command Prompt.
2. Apply the following command:
ip nat service sip sw off
UBEE
1. Go to Advanced, then Options.
2. Uncheck the SIP and the RTSP checkboxes.
3. Click Apply.
Ubiquiti
UniFi Security Gateway
1. Sign in to your UniFi security gateway.
2. Click on Routing & Firewall along the left side.
3. Click the Firewall tab at the top and click Settings from the sub-menu.
– Toggle H.323 and SIP to off.
– Click the Apply Changes button.

EdgeRouters (ER-x)
1. Access the router’s administrative interface, typically at 192.168.1.1.
2. Use the Config Tree or a command-line interface to disable SIP ALG.

Config Tree:
1. Select config tree in the top right-hand corner.
2. Expand system, conntrack, modules, and sip.
3. Click the plus sign next to disable.
4. Click the Preview option.
5. Click Apply.

Command Line Interface:
1. From the administrative interface, choose CLI located at the top right corner of the screen.
2. From here, we can also increase UDP timeouts as well.
3. Enter these commands into the terminal:
configure
– set system conntrack modules sip disable
– set system conntrack timeout udp stream 300
– set system conntrack timeout udp other 300
– commit
– save
– exit
Verizon FiOS
G1100
This broadband gateway does not support disabling SIP ALG. We recommend configuring your gateway to function only as a modem, not a router. You will need to use another router that supports disabling SIP ALG.
ZyXEL

ZyXEL ZyWALL/USG60:
1. Click on Configuration and expand the Network settings.
2. Click ALG along the left side.
3. Uncheck all the checkboxes on the right side:
– Uncheck Enable SIP ALG.
– Uncheck Enable SIP Transformations.
4. Click Apply.

ZyXEL C1000Z/C1100Z (CenturyLink):
1. Click on Advanced Setup.Click on SIP ALG along the left side.
2. Toggle the SIP ALG setting to Disable.
3. Click Apply.

ZyXEL P600:
1. Telnet to the router (192.168.1.1) and enter the password. The default password is 1234.
2. Type “24” and press enter.
3. Then “8” and press enter.
4. Provide this command:
ip nat service sip active 0
5. When done, press Enter.
 


    • Related Articles

    • Yealink SIP-T46U – Wi-Fi Network Connection and Management

      The Wi-Fi function of the Yealink T46U allows you to enjoy SIP connectivity without network cables. This reduces clutter, lets you easily move the phone around, or serves when a network port is unavailable or in offices with a Wi-Fi only network. ...

    • I hear a tone when there is a call on hold? How do I disable it?

      By default, the device will play a tone for you every 30 seconds a call is on hold. You can disable it or change the tone interval in the device's web interface: Sign in to device's web interface. (How to access the Yealink phone's web interface) ...

    • Ghost Call Prevention

      Many of us have experienced a ghost call at some point in time and it is frustrating. No I am not referring to some paranormal occurrence here that requires the Ghostbuster team, though if it happens in the wee hours it can have a similar affect on ...

    • “No service” error

      The device's screen displays “No Service” when a SIP account doesn't registers successfully. Submit a support ticket here and we’ll look into the issue.

    • Phone Feature Codes

      Call Service Code - Description Code Anonymous Call Rejection - disable *87 Anonymous Call Rejection - enable *77 Automatic Callback - cancel all attempts *86 Automatic Callback - last outgoing call *66 Automatic Recall - cancel all attempts *89 ...