If you have ever troubleshot one-way audio, dropped calls after 30 seconds, or random registration failures on a VoIP system — and spent hours checking firewalls, NAT rules, and codec settings — there is a very high chance the problem was SIP ALG.
SIP ALG (Application Layer Gateway) is a router feature that is supposed to help VoIP traffic traverse NAT. In practice, it mangles SIP headers in ways that break everything. It is enabled by default on almost every consumer and business router.
What SIP ALG Actually Does
SIP ALG intercepts SIP packets and rewrites the IP addresses and ports inside them. The theory is that this helps NAT traversal by matching internal addresses with external ones.
The problem: SIP ALG implementations are almost universally broken. They modify headers incorrectly, they do not handle encrypted signaling, and they create state mismatches between the SIP stack and the phone system.
Symptoms of SIP ALG Problems
| Symptom | Why It Happens |
|---|---|
| One-way audio | ALG rewrites RTP address incorrectly, media flows in only one direction |
| Calls drop at 30-32 seconds | ALG breaks SIP session timers, re-INVITE fails |
| Registration failures every few hours | ALG modifies REGISTER headers, server rejects re-registration |
| Caller ID wrong or missing | ALG mangles From/P-Asserted-Identity headers |
| Transfer failures | ALG cannot handle REFER with Replaces header |
| Intermittent echo | ALG causes routing asymmetry in media path |
How to Disable SIP ALG
Every router vendor does this differently. Here are the common ones:
Ubiquiti EdgeRouter / UniFi:
configure
set system conntrack modules sip disable
commit; save
pfSense / OPNsense:
System > Advanced > Firewall & NAT > uncheck "Enable SIP ALG"
MikroTik RouterOS:
/ip firewall service-port set sip disabled=yes
Cisco IOS:
no ip nat service sip udp port 5060
Most consumer routers:
Admin panel > Advanced > SIP ALG > Disable (sometimes under "Gaming" or "Application")
The Correct Alternative
Instead of SIP ALG, VoIP NAT traversal should be handled by:
- STUN — Simple Traversal of UDP through NAT. Phones discover their public IP and port.
- TURN — Traversal Using Relay NAT. Media relayed through a server when direct connection fails.
- ICE — Interactive Connectivity Establishment. Tries multiple paths and selects the best one.
Modern VoIP providers like providers like VestaCall (https://vestacall.com) that focus on transparency handle NAT traversal server-side, making SIP ALG completely unnecessary.
Quick Test
If you suspect SIP ALG is causing issues:
- Disable SIP ALG on your router
- Reboot the router (not just save — reboot)
- Reboot your IP phones or softphones
- Test inbound and outbound calls
- Test call transfers
In about 80% of unexplained VoIP issues I have debugged, disabling SIP ALG fixed the problem immediately.
Top comments (0)