About SIP ALG .. and the need to disable it Print

  • 3


SIP ALG Explained

Most of today's routers implement SIP ALG (Application Layer Gateway) and come with the feature enabled by default.

While an ALG could help in solving NAT related problems, the fact is that most routers' ALG implementations are wrong and break SIP.

There are various solutions for SIP clients behind NAT; some of them client-side (STUN, TURN, ICE), and others server-side (Proxy RTP as RtpProxy, MediaProxy).

An ALG typically works in the client LAN router or gateway, but in some scenarios, some client-side solutions are not valid; for example, STUN with symmetrical NAT router.

If the server-side SIP proxy doesn't provide a server-side NAT solution, then an ALG solution could have a place.

An ALG is meant to understand the protocol used by the specific applications that it supports, and does a protocol packet-inspection of traffic through it.

A NAT router with a built-in SIP ALG can re-write information within the SIP messages (SIP headers and SDP body) making signalling and audio traffic between the client behind NAT and the SIP endpoint possible.

However, our voice service does employ a NAT compensation solution, therefore, SIP ALG should be disabled client-side.


SIP ALG Problems

The main problem is the poor implementation at the SIP protocol level of most routers, and the fact this technology is really only useful for outgoing calls, but not for incoming calls.


Lack of incoming calls

When a handset is powered up or softphone is started, it sends a REGISTER to the proxy in order to be localised and receive incoming calls. This REGISTER is modified by the ALG feature. If it wasn't, the user wouldn't be reachable by the proxy since it indicated a private IP in the REGISTER "Contact" header.

Common routers only hold the UDP "connection" open for a short while, eg 30-60 seconds, so after that time the port forwarding is ended and incoming packets are discarded by the router.

Many SIP proxies maintain the UDP keep-alive by sending OPTIONS or NOTIFY messages to the handset or softphone, but they only do it when the handset or softphone has been detected as NATed during the registration.

A SIP ALG router rewrites the REGISTER request so the proxy doesn't detect the NAT and doesn't maintain the keep-alive, so incoming calls will not be possible.


Breaking SIP signalling

Many routers with inbuilt SIP ALG modify the SIP headers and the SDP body incorrectly, breaking SIP and making communication almost impossible.

Some of them do a complete replacement by searching a private address in all SIP headers and bodies, replacing them with the router's public mapped address. For example, they replace the private address if it appears in the Call-ID header, which makes no sense at all.

Many SIP ALG routers corrupt the SIP message when writing into it. For example, they will often miss a semi-colon ; in the header parameters.

Writing incorrect port values greater than 65536 is also common in many of routers.


Disallows server-side solutions

Even if you don't need a client-side NAT solution, if your router has SIP ALG enabled and this breaks SIP signalling, it will make communication with our server-side SIP proxy impossible.



Was this answer helpful?

« Back


ezyexchange  hosted microsoft exchange
ezytel  enterprise-grade hosted PBX
ezycloudsms  2-way cloud SMS
ezybroadband  NBN, wireless or fibre ethernet
ezy365  microsoft 365 licensing
ezywebhosting  enterprise web hosting
ezyssl  build trust, secure your brand
ezydomains  your name in the cloud
ezyreseller  our services, your clients


ezycloud | powered by Digital Hybrid
PO Box 7208, South Penrith, NSW, 2750


Call   1300 882 942
SMS   0409 19 88 66

COPYRIGHT © 2009 -       Digital Hybrid Pty Ltd | really communicate       ACN 139 660 585   |   ABN 37 139 660 585   |   ALL RIGHTS RESERVED WORLDWIDE