SIP ALG - What It Is and How to Detect It

Basic definition

SIP ALG stands for Application Layer Gateway. You will find it on many commercial and residential Firewalls, Routers, or Modems. It is a NAT tool that inspects SIP Messages and transforms the Private IP addresses and Ports to Public IP Addresses and Ports.

So what is the problem with SIP ALG?

SIP ALG was built as a tool when Hosted PBX's didn't have a great NAT solution. To this day some still do not understand NAT. Our system fully understands NAT and prefers the use of private IP addresses in SIP Messaging as opposed to the Public IP Address. The message is delivered back to the Public IP Address and Port from which it was received.

Secondly, many commercial Firewalls and Modems do not fully understand SIP and SIP Routing. The replacement of the private IP is done via Scripting, which can also eliminate critical parts of the SIP message. They also commonly have problems with their own internal NAT Routing Table for the messages they transformed, causing some SIP messages to be delivered to the wrong endpoint or not be delivered at all.

What are some symptoms of SIP ALG?

There are many Symptoms of SIP ALG, here are some of the most common symptoms we see.

  • One-way or No-way audio, intermittently or consistently.
  • Outbound or Inbound Call Fails to Connect.
  • Audio cuts out completely while on a call and doesn't return.
  • Phones continue ringing and can't be answered.
  • Unable to call another extension on its own Network.
  • BLF or MWI getting sent to the wrong extension, acting slow, or not working at all.

What are NOT symptoms of SIP ALG?

There are some misconceptions, as SIP ALG is only a NAT tool it does NOT affect the following:

  • Audio Quality after a call has started. This would most commonly be caused by Jitter or Packet Loss on the customer's Network.
  • Echo or Static, there are both elements typically associated with an issue at the Endpoint or on the Local Network such as Electronic Interference or Voice Activity Detection (VAD).

How do I know if SIP ALG is on? How do you know if there is SIP ALG?

Although SIP ALG usually causes problems right away, it can exist on your customers Network for months or years before being troublesome. This can be due to a firmware update or corruption of the file system on the routing device.

You can look in a SIP Trace to easily determine if there is SIP ALG. This assumes you understand the difference between a public and private IP address. IF you see a Public IP address from your customer's phone in the Contact Header, or anywhere in the SDP Body, this is a very good indication there is SIP ALG.

The exception is if the phone itself has a Public IP address, or you are using another NAT Tool like STUN, TURN, or ICE. These tools are not necessary and we don't recommend their use. STUN, TURN, and ICE are things that you must configure, so it's likely they are not the problem.

In the following image, we can see this is an INVITE from a Polycom VVX 410. We see the Public IP Address 5 times in this SIP message, but it normal to see it in the 'Received packet from' and Via Headers (indicated by Green). It should NOT be seen in the Contact Header or SDP body (Indicated by Red). 50.50.50.50 is a ficticious Public IP Address.

How do I turn it off?

It is easy to detect of SIP ALG is there, but not always so easy to turn it off. Here are some tips...

  1. SIP ALG can be named SIP Transformer, SIP Helper, SIP Guide, or other various names.
  2. SIP ALG is not always found in the GUI of the device, in some cases you may have to SSH or Telnet into the device to turn it off.
  3. SIP ALG can exist on your Modem or Firewall. If you are using a modem/router in bridge mode it can still intercept and transform these messages if you did not turn it off prior to bridging it.
    1. In this case, you can look at a WAN packet capture form your firewall to see if your firewall is changing it.
  4. In some equipment, ALG simply can NOT be turned off. in this case, you will need to seek out a new Modem or Firewall.
  5. In extremely RARE cases this is can be done by the ISP, in which case you may be able to request for them to turn it off.