Fix SIP ALG Issues (Router VoIP Killer)

How SIP Application Layer Gateway on routers silently breaks Asterisk calls and how to disable it on every major router brand

HomeAsterisk Solutions› SIP ALG Issues

What is SIP ALG?

SIP ALG (Application Layer Gateway) is a feature built into most consumer and many enterprise routers. It was designed to help SIP traffic traverse NAT by inspecting and rewriting SIP packets. In practice, it almost always makes things worse.

SIP ALG intercepts SIP messages (INVITE, REGISTER, 200 OK, etc.) as they pass through the router and modifies:

  • The Contact header (changes the IP/port Asterisk advertises)
  • The Via header (changes the routing path information)
  • The SDP body (changes the media connection IP address)
  • The Route/Record-Route headers
The #1 Rule of VoIP: If you have VoIP problems and there is a router between your endpoints, disable SIP ALG first. It causes more problems than it solves in virtually every deployment.

Symptoms of SIP ALG Problems

SymptomHow SIP ALG Causes It
One-way audioALG rewrites SDP media address to wrong IP, RTP goes to wrong destination
No audio at allALG corrupts the SDP body, both sides have wrong media endpoint
Calls drop after 30 secondsALG modifies Contact header, ACK cannot reach Asterisk
Registration failuresALG rewrites REGISTER Contact, responses go to wrong address
Intermittent call failuresALG state table overflow or inconsistent rewriting
Calls work internally but not externallyALG only affects packets crossing the NAT boundary
Random SIP 400/500 errorsALG corrupts SIP message structure (e.g., Content-Length mismatch)
Transfer failuresALG rewrites REFER headers incorrectly

How to Detect SIP ALG

# Method 1: Compare SIP messages on both sides
# On Asterisk server:
asterisk -rx "sip set debug on"
# Note the Contact header in the REGISTER Asterisk sends:
# Contact: <sip:100@192.168.1.100:5060>

# On the provider's side (or using tcpdump on the WAN):
tcpdump -i eth0 -n -A port 5060 | grep Contact
# If the Contact header shows a DIFFERENT IP or port,
# SIP ALG is rewriting it!

# Method 2: Check for nf_conntrack_sip (Linux routers)
lsmod | grep sip
# If "nf_conntrack_sip" or "nf_nat_sip" is loaded, SIP ALG is active

# Method 3: Send a known SIP packet and check if it's modified
# Use sipsak to send a test OPTIONS:
sipsak -vv -s sip:test@your-public-ip:5060
# Compare what was sent vs what was received

# Method 4: Check Content-Length mismatch
# SIP ALG often changes the SDP body but forgets to update
# Content-Length. Look for "Content-Length: 289" but the
# actual SDP is 315 bytes (modified by ALG).

Disable SIP ALG by Router Brand

Linux (iptables/netfilter)

# Unload the SIP ALG modules
modprobe -r nf_nat_sip
modprobe -r nf_conntrack_sip

# Permanently blacklist them
echo "blacklist nf_nat_sip" >> /etc/modprobe.d/blacklist-sip.conf
echo "blacklist nf_conntrack_sip" >> /etc/modprobe.d/blacklist-sip.conf

# Alternative: disable via sysctl
echo "net.netfilter.nf_conntrack_helper=0" >> /etc/sysctl.conf
sysctl -p

# Verify they're unloaded
lsmod | grep sip
# Should return nothing

pfSense / OPNsense

# pfSense:
# System > Advanced > Firewall & NAT
# Check "Disable pf scrubbing" (or set to "Fragment Reassemble" only)
# Firewall > NAT > Outbound > Manual mode
# Set "Static Port" for SIP/RTP traffic

# OPNsense:
# Firewall > Settings > Advanced
# Disable "Firewall Optimization" for SIP
# Or use Hybrid outbound NAT with static port for SIP

Ubiquiti (EdgeRouter / UniFi)

# SSH into the EdgeRouter:
configure
set system conntrack modules sip disable
commit
save

# UniFi Security Gateway (USG):
# Via CLI:
configure
set system conntrack modules sip disable
commit
save

# For UniFi Dream Machine:
# Settings > Advanced > SIP ALG > Disable

MikroTik (RouterOS)

# Disable SIP helper in MikroTik:
/ip firewall service-port disable sip

# Or via Winbox:
# IP > Firewall > Service Ports > sip > Disable

Consumer Routers (Netgear, TP-Link, ASUS, Linksys)

  • Netgear: Advanced > WAN Setup > Disable SIP ALG (or NAT Filtering > Open)
  • TP-Link: Advanced > NAT Forwarding > ALG > Uncheck SIP ALG
  • ASUS: WAN > NAT Passthrough > SIP Passthrough > Disable
  • Linksys: Administration > Management > SIP ALG > Disable
  • D-Link: Advanced > Firewall > Application Level Gateway > SIP > Disable
Note: Some routers hide the SIP ALG setting. If you cannot find it, try: (1) searching the router model + “disable SIP ALG”, (2) updating firmware (newer versions may expose the option), (3) using a different router that allows disabling it.

Workarounds When You Cannot Disable SIP ALG

If you cannot disable SIP ALG (e.g., ISP-provided router with locked settings), try these workarounds:

  1. Use a non-standard SIP port: SIP ALG only inspects port 5060. Change Asterisk to use port 5160 or another port.
    ; In pjsip.conf:
[transport-udp]
type=transport
protocol=udp
bind=0.0.0.0:5160   ; Non-standard port avoids SIP ALG
  2. Use TLS (port 5061): SIP ALG cannot inspect encrypted TLS traffic, so it cannot modify the SIP messages.
  3. Use a VPN tunnel: Route all SIP/RTP traffic through an encrypted VPN tunnel, bypassing NAT and SIP ALG entirely.
  4. Put Asterisk in the DMZ:If the router supports DMZ, place Asterisk's IP in the DMZ. Some routers skip ALG processing for DMZ hosts.
  5. Bridge mode on ISP router: Put the ISP router in bridge/passthrough mode and use your own router (where you can disable SIP ALG) behind it.
← Back to All Asterisk Solutions|Asterisk Complete Guide →