SIP-ALG how to turn off on common routers

SIP-ALG how to turn off on common routers

SIP ALG uitschakelen

Adtran

Add the following:

no ip firewall alg sip

 

Arris Gateways

  1. Go to Advanced > Options.
  2. Disable (uncheck) SIP.
  3. Click Apply.

Arris Gateway IP Address: 192.168.0.1

  • Username: admin
  • Password: motorola

 

ASA

  1. Go to policy-map global_policy > class inspection_default.
  2. Enter:
no inspect sip

 

ASUS

SIP ALG is located in (via the web interface):

  1. Go to Advanced Settings / WAN on left side.
  2. From the tabs across the top, choose NAT Pass through.
  3. Change SIP pass through to “Disable.” Hit apply.

For phones to pick up the change immediately, reboot each of them, otherwise they will pick up the new NAT table with changes during their next registration.

If your router does not have an option to disable SIP Passthrough then read on…

To disable the SIP ALG manually, you enable telnet to the device via the WWW interface.

Telnet to the device (from a command line enter “telent 192.168.1.1” or the appropriate IP address for the device.)

Issue the following commands:

nvram get nf_sip 
(It should return a "1")
nvram set nf_sip=0 
nvram commit
Reboot

Then reboot the router for the changes to take effect.

 

Cisco

On Cisco devices, SIP-ALG is referred to as SIP Fixup and is enabled by default on both routers and Pix devices. Because this is a default setting, no indication of it being “on” or “off” is visible in the configuration.

To disable SIP Fixup, issue the following commands:

General Routers

no ip nat service sip tcp port 5060
no ip nat service sip udp port 5060

Enterprise-Class Routers

no ip nat service sip tcp port 5060
no ip nat service sip udp port 5060

Pix Devices

no fixup protocol sip 5060
no fixup protocol sip udp 5060

Models: 800 Series

To disable the NAT services for SIP in IOS, just run these commands:

no ip nat service sip tcp port 5060
no ip nat service sip udp port 5060

 

  1. From the admin interface page of the router, navigate to Advanced settings.
  2. Under Application Level Gateway (ALG) Configuration, uncheck the SIP option.

 

Draytek

Voor de modellen: Vigor2750, Vigor2130

SIP ALG staat standaard aan. Mocht je dit willen uitzetten:

  • Zorg ervoor dat de computer met de router verbonden is.
  • Open een commandline;
    • Windows: Start -> Uitvoeren -> type cmd-> enter
    • OS X: CMD+spatie -> type terminal-> enter
  • Type in deze commandline telnet IP-van-de-routeren druk op enter
  • Type de gebruikersnaam in van de modem en druk op enter
  • Voer het wachtwoord van de modem in en druk nogmaals op enter
  • Voer het volgende in en druk op enter: kmodule_ctl nf_conntrack_sip disable
  • Voer het volgende in en druk op enter: kmodule_ctl nf_nat_sip disable
  • Als het modem herstart is kunt u testen of VoIP werkt.

Alle andere modellen:

  • Zorg ervoor dat de computer met de router verbonden is.
  • Open een commandline;
    • Windows: Start -> Uitvoeren -> type cmd-> enter
    • OS X: CMD+spatie -> type terminal-> enter
  • Type in deze commandline telnet IP-van-de-routeren druk op enter
  • Type de gebruikersnaam in van de modem en druk op enter
  • Voer het wachtwoord van de modem in en druk nogmaals op enter
  • Voer het volgende in en druk op enter: sys sip_alg 0
  • Als het modem herstart is kunt u testen of VoIP werkt.


Time-To-Live UDP:

Er zijn enkele modellen waar de TTL voor UDP aangepast dient te worden indien gebruik worden gemaakt van het Cloudoe platform:

– Express Office / Hosted Basis: 40 seconden
– HIP / Hosted Extra: 100 seconden

By telnet command “portmaptime -l”, we can check the current value for each application.

To change the NAT timeout value, enter command

portmaptime -[protocol] [time]

Where [protocol] is a character represents the application (please use command “portmaptime ?” to check the options available), and [time] is a number of seconds. For example, if you’d like to set the timeout value of UDP session to 5 minutes (300 seconds), this can be done by the command

portmaptime -u 300

After that, you may use the command “portmaptime -l” to check if the current value has changed.

 

Fortinet

Models: All models come with SIP Helper enabled by default

To disable SIP helper:

~# telnet firewall
config system settings
set sip-helper disable
set sip-nat-trace disable
end
config system session-helper
show <---- use this to find out which entry is configured for typically 12 or 13
delete 12
end

Starting from fortOS 7.0 and up use

config system settings
set sip-nat-trace disable
set default-voip-alg-mode kernel-helper-based
end

If use voip profile in firewall policy, execute:
config voip profile
edit default
config sip
set rtp disable
end
end

The preferred solution is to configure the SIP ALG. Policies that use the SIP ALG will not use SIP helper. Full documentation at http://docs.fortinet.com then pick FortiOS for the version on your device, then VoIP solutions: SIP.

 

Juniper / Netscreen

Models: SSG Series

To disable SIP ALG:
In the Web interface: Security -> ALG

 

Linksys

General Linksys Guidelines

  1. From the ADMIN page of the router, navigate to [Administration] > [Advanced].
  2. Look for and disable a SIP ALG option.

Linksys BEFSR41

  1. From the ADMIN page of the router, navigate to [APPLICATIONS & GAMING] > [PORT TRIGGERING].
  2. Enter [TCP] as the application.
  3. Enter [5060] into the Start Port and End Port for both the Triggering Range and Forwarded Range.
  4. Check Enable.
  5. Save Settings.
  6. Reboot IP phone.

Models: WRV200, WRT610N
NAT type: Symmetrical
Issues:

  • The ALG replaces the private address in “Call-ID” header (not needed at all). Some phones (as Linksys with latest firmware) encode the “Call-ID” value in the “Refer-To” header (by escaping the dots) so the private IP appearing there is not replaced with the public IP. This causes that the call transfer fails since the proxy/PBX/endpoint will not recognize the dialog info.

To disable SIP ALG:

ToDo no ALG related options found via web and telnet. No idea of how to disable it.
To disable SIP ALG on WRT610N: Web Interface: Administration, Management, under side heading ‘Advanced Features’ SIP ALG, can be disabled.

 

Motorola

Models: SBG6580 (SurfBoard Extreme Wireless Cable Modem Gateway)

  • No Registeration possible behind NAT as the device changes Call-ID and causes the responses to be discarded by SIP clients/ATAs
  • No Solution at this time (SIP ALG, called SIP Pass Through, can not be disabled) .
  • Must disable NAT and put the device in bridge mode. (See this guide)

 

Netgear

Models: WGR614v9 Wireless-G Router, DGN2000 Wireless-N ADSL2+ Modem Router
Firmware V1.0.18_8.0.9NA
To disable SIP ALG:

  1. From Wan Setup Menu,
  2. NAT Filtering,
  3. uncheck the box next to “Disable SIP ALG”

When setting the Global Default UDP timeout value on a SonicWall firewall, you must still fix the pre-existing rules’ individual UDP timeout values. New rules will inherit the Global Default. Increase the UDP timeout to the suggested 300 seconds both globally on the firewall and the specific out-bound firewall rule (or the default rule, as the case may be).

 

Models: All multi-WAN models
To disable SIP ALG, go to http://<router.LAN.IP>/cgi-bin/MANGA/support.cgi
Click the “Disable” button under “SIP ALG Support”
Issues:

  • I’m not aware of any SIP ALG issues, but if you just want to turn it off, here you go.

 

SMC

Models: ToDo
NAT type: No symmetrical
Issues:

  • The ALG doesn’t replace the private address in “Call-ID” header (that is correct) but it does replace the “call-id” value in “Refer-To” header so SIP transfer is broken.

To disable SIP ALG:

ToDo no ALG related options found via web and telnet. No idea of how to dissable it.

 

SonicWall

  1. Uncheck the box for Use SIP Header Transformation.
  2. Disable consistent NAT.

When setting the Global Default UDP timeout value on a SonicWall firewall, you must still fix the pre-existing rules’ individual UDP timeout values. New rules will inherit the Global Default. Increase the UDP timeout to the suggested 300 seconds both globally on the firewall and the specific out-bound firewall rule (or the default rule, as the case may be).


Sophos

The SIP module is turned on by default and provides the following functions for SIP traffic:

  • Uses UDP port 5060.
  • Translates local IP addresses to public IP addresses, updating the SIP header.
  • Enables a dynamic voice channel by setting up an expected voice connection in the firewall.

Turning the SIP module on or off from the command line interface (CLI)

  1. Sign in to the command line using Telnet or SSH. You can also access it from admin > Console in the upper-right corner of the web admin console.
  2. Choose option 4. Device Console.
  3. Use the following commands.

    • Turn on SIP module: system system_modules sip load
    • Turn off SIP module: system system_modules sip unload

    Note

    The commands are persistent even if the Sophos Firewall is restarted.

  4. See the SIP module status: system system_modules show

    SIP Not Loaded

Use a custom port

If you're using a custom port for SIP communication and you want to load the same port under the Sophos helper module, run the below command:

system system_modules sip load ports <custom_port>

TCP support

The Sophos Firewall SIP helper doesn't support SIP and SDP messages spanning more than one packet. This can happen when you are using SIP over TCP.

The workaround is to use a SIP UDP control connection because, in UDP, a single SIP message is a single packet.

SIP UDP control connection



UDP time-out value causes VoIP calls to drop or have poor quality

What to do if VoIP calls drop or have poor quality.

Condition:

VoIP calls drop or have poor quality.

Cause:

If there are no errors in the SIP configuration, VoIP issues are usually due to the UDP time-out value.
Sophos Firewall has a default UDP time-out of 60 seconds which is usually low for reliable VoIP communication. Usually, Cloudoe engineering recommends a UDP time-out value, typically 180 seconds.
To change the current UDP time-out value from the command line interface (CLI), choose option 4. Device Console and do as follows:

Remedy:

Type: show advanced-firewall
The output shows the current UDP time-out value next to UDP timeout stream.
Type: set advanced-firewall udp-timeout-stream 180
This command increases the UDP time-out to 180 seconds. If your provider recommends a different value, use that.

DoS & spoof protection and VoIP

Condition:

Unstable VoIP connection if DoS settings for UDP rate are applied.

Cause:

UDP flood settings cause VoIP traffic to drop.

Remedy:

Go to Intrusion prevention > DoS & spoof protection.
Under DoS settings, clear the Apply flag checkboxes for UDP flood.
Test the VoIP connection.
If this setting resolves the VoIP issue, lower the UDP flood protection values before applying the flag again.
A single value doesn't work for all environments. Adjust the values until you find those that work best for your VoIP setup.


SpeedTouch

Models: ST530 v6 (firmware >= 5.4.0.13) comes with SIP ALG enabled by default.
NAT type: symmetrical
Issues:

  • No incoming calls.
  • It replaces the private IP appearing in SIP headers with the public IP using a dumb text replacement. If for example the private IP appears in the “Call-ID” it replaces it too (that it’s completely unnecessary).

To disable SIP ALG:

~# telnet router
-> connection unbind application=SIP port=5060
-> saveall

 

UBEE

  1. Go to Advanced > Options.
  2. Disable (uncheck) SIP.
  3. Disable (uncheck) RTSP.
  4. Click Apply.

 

Ubiquinti

Model: Edgerouter

  1. Open de Config Tree.
  2. Klap het menu open zoals hieronder aangegeven.
  3. Klik op  + achter disable onder sip.
  4. Klik onder in beeld op Preview om de instellingen op te slaan.

 

Zyxel

  1. Go to Settings > Configuration > Network > ALG.
  2. Disable SIP ALG.

Note: If you have mixed models of phones like Polycom/Aastra/Cisco/Panasonic, then you may experience difficulty in using ZyXEL ZyWALL routers. However, if you have only Polycom phones, please review this article to learn how to configure ZyXEL ZyWALL routers for use with Polycom phones.

Models: 660 family comes with SIP ALG enabed by default.
NAT type: symmetrical
Issues:

  • No incoming calls.
  • SIP protocol broken making 50% of outgoing calls impossible because the wrong values are inserted into SIP headers.

To disable SIP ALG:

~# telnet router
Menu option "24. System Maintenance".
Menu option "8. Command Interpreter Mode".
ip nat service sip active 0

 


    • Related Articles

    • SIP Session Timers

      Network Working Group S. Donovan Request for Comments: 4028 J. Rosenberg Category: Standards Track Cisco Systems April 2005 Session Timers in the Session Initiation Protocol (SIP) Status of This Memo This document specifies an Internet standards ...
    • Telecom Wetgeving

      Link naar het wetsartikel over de telecom Wet. Hierin staat bijvoorbeeld wat wel en niet mag met betrekking tot tracen, luisteren van SIP recordings en het meesturen van andere identiteiten. wetten.nl - Regeling - Telecommunicatiewet - BWBR0009950 ...