Document name Overview of SIP ALG Author  Llewellyn Carson Publish Date 03/11/2021 Version  1.0 Reference  

 

 

1. Version Information 

 

Date Author Update Information  Version 03/11/2021 Llewellyn Carson 1st draft 1.0                

 

 

This document is intended to provide the reader with an overview and information regarding SIP ALG.

 

Overview of SIP ALG

 

Important to note the effect of SIP ALG

 

SIP ALG stands for Application Layer Gateway and is common in many commercial routers. Its purpose is to prevent some of the problems caused by router firewalls by inspecting VoIP traffic (packets) and if necessary, modifying it.

 

Note: Many routers have SIP ALG turned on by default.

 

There are various solutions for SIP clients behind NAT, some of them in the client side (STUN, TURN, ICE), others are in the server side (Proxy RTP as RtpProxy, MediaProxy).

ALG typically works in the client-side LAN router or gateway. In some scenarios, some client-side solutions are not valid, for example, STUN with symmetrical NAT router. If the SIP proxy doesn’t provide a server-side NAT solution, then an ALG solution could have a place.

An ALG understands the protocol used by the specific applications that it supports (in this case SIP) and does a protocol packet-inspection of traffic through it. A NAT router with a built-in SIP ALG can re-write information within the SIP messages (SIP headers and SDP body) making signalling and audio traffic between the client behind NAT and the SIP endpoint possible.

 

How can SIP ALG affect VoIP?

 

Even though SIP ALG is intended to assist users who have phones on private IP addresses (Class C 192.168.X.X), in many cases it is implemented poorly and causes more problems than it solves. SIP ALG modifies SIP packets in unexpected ways, corrupting them and making them unreadable. This can give you unexpected behaviour, such as phones not registering and incoming calls failing.

Therefore, if you are experiencing problems, we recommend that you check your router settings and turn SIP ALG off if it is enabled.

  • Lack of incoming calls: When a UA is switched on it sends a REGISTER request to the proxy to be localisable and receive any incoming calls. This REGISTER is modified by the ALG feature (if not the user wouldn’t be reachable by the proxy since it indicated a private IP in REGISTER “Contact” header). Common routers just maintain the UDP “connection” open for a while (30-60 seconds) so after that time the port forwarding is ended, and incoming packets are discarded by the router. Many SIP proxies maintain the UDP keepalive by sending OPTIONS or NOTIFY messages to the UA, but they just do it when the UA has been detected as NAT’d during the registration. A SIP ALG router rewrites the REGISTER request to the proxy doesn’t detect the NAT and doesn’t maintain the keepalive (so incoming calls will be not possible).
  • Breaking SIP signalling: Many of the actual common routers with inbuilt SIP ALG modify SIP headers and the SDP body incorrectly, breaking SIP and making communication just impossible. Some of them do a whole replacing by searching a private address in all SIP headers and body and replacing them with the router public mapped address (for example, replacing the private address if it appears in “Call-ID” header, which makes no sense at all). Many SIP ALG routers corrupt the SIP message when writing into it (i.e., missed semi-colon “;” in header parameters). Writing incorrect port values greater than 65536 is also common in many of these routers.
  • Disallows server-side solutions: Even if you don’t need a client-side NAT solution (your SIP proxy gives you a server NAT solution), if your router has SIP ALG enabled that breaks SIP signalling, it will make communication with your proxy impossible.