How to turn off SIP ALG on your router and why you should

VoIP problems are frustrating. They're often intermittent, difficult to reproduce, and always urgent because they affect the phone system. If you're experiencing issues like handsets failing to register, calls not connecting, one-way audio, or BLF keys behaving erratically — SIP ALG should be the first thing you check.

What is SIP ALG?

SIP ALG stands for SIP Application Layer Gateway. It's a feature built into many commercial routers that's designed to help VoIP traffic pass through NAT (Network Address Translation) firewalls.

The idea was sensible when VoIP was new: SIP packets carry IP addresses inside the packet body, not just in the headers. A standard NAT router doesn't modify those embedded addresses, which can cause issues when the device is behind a firewall. SIP ALG was designed to inspect and rewrite those embedded addresses.

The problem is that modern VoIP providers — including SIP trunk and Microsoft Teams Calling services — have developed far more reliable methods of handling NAT traversal. SIP ALG doesn't just fail to help — it actively interferes, mangling packets in ways that break calls.

Common symptoms of SIP ALG interference

• Handsets fail to register (or register intermittently)
• Incoming calls don't ring, or only ring some handsets
• BLF (Busy Lamp Field) keys don't update or behave unpredictably
• One-way audio — caller can hear you but you can't hear them, or vice versa
• Audio drops out mid-call
• Calls work fine for a while, then stop working after a router reboot

How to disable SIP ALG on common routers

Below are step-by-step instructions for the routers and firewalls we encounter most often in Australian business environments. After making changes on any device, always reboot the router before testing.

Jump to your device:

Cisco Meraki MX

Meraki MX security appliances do not implement SIP ALG — it cannot be enabled or disabled because the feature simply doesn't exist on these devices. If you're experiencing VoIP issues behind a Meraki MX, the cause lies elsewhere. Check the following instead:

1. Verify that 1:1 NAT or port forwarding is configured for your PBX if required
2. Ensure UDP ports 5060–5062 (SIP) and 10000–20000 (RTP) are not blocked under Security & SD-WAN → Firewall → Layer 3
3. Check that traffic shaping is configured to prioritise VoIP under Security & SD-WAN → Traffic shaping
4. If SIP registrations drop after periods of inactivity, reduce the SIP registration interval on your phones or PBX (e.g. to 60 seconds) to keep the NAT pinhole open — the MX's UDP session timeout is not configurable

Cisco IOS / IOS XE Routers

On Cisco IOS routers (ISR G2, ISR 4000 series, etc.), SIP ALG is enabled by default as part of NAT processing. Disable it via the CLI:

configure terminal
no ip nat service sip tcp port 5060
no ip nat service sip udp port 5060
end
write memory

The change takes effect immediately — no reboot is required. Run write memory to persist across reboots. If your SIP provider uses a non-standard port, add additional lines for that port.

Cisco ASA

On Cisco ASA firewalls, SIP inspection is enabled by default in the global policy. Disable it via the CLI:

configure terminal
policy-map global_policy
 class inspection_default
  no inspect sip
end
write memory

Takes effect immediately, no reboot required. Once SIP inspection is disabled, the ASA will no longer dynamically open RTP pinholes — make sure your access control rules explicitly permit the RTP media port range used by your VoIP provider (typically UDP 10000–20000).

FortiGate (FortiOS 7.x)

FortiGate requires multiple changes via the CLI to fully disable SIP ALG. There is no GUI toggle for this — connect via SSH or the built-in CLI console and run each step in order.

Step 1 — Disable SIP expectation and NAT trace:

config system settings
  set sip-expectation disable
  set sip-nat-trace disable
  set default-voip-alg-mode kernel-helper-based
end

Note: On FortiOS versions older than 6.2.2, the command is set sip-helper disable instead of set sip-expectation disable. The default-voip-alg-mode setting may not exist on very old firmware and can be safely skipped if it errors.

Step 2 — Delete the SIP session helper:

config system session-helper
  show

Look through the output for the entry that references port 5060 (SIP). Note its ID number — it is typically entry 13, but may differ by model and firmware version. Then delete it:

  delete 13
end

Step 3 — Disable SIP in the default VoIP profile:

config voip profile
  edit default
    config sip
      set status disable
      set rtp disable
    end
  next
end

Step 4 — Clear existing SIP sessions:

diagnose sys session filter proto 17
diagnose sys session filter dport 5060
diagnose sys session clear
diagnose sys session filter sport 5060
diagnose sys session clear

Step 5 — Reboot the firewall. While Steps 1–4 take effect for new sessions immediately, the session helper deletion in Step 2 requires a reboot to fully take effect. Schedule a maintenance window reboot after making these changes.

DrayTek Vigor

Via the web interface (firmware 3.8.5 and newer — applies to Vigor 2860, 2862, 2865, 2927 and similar models):

1. Log in to the router's web interface (default address is 192.168.1.1)
2. In the left-hand menu, expand NAT and click ALG
3. Untick Enable SIP ALG (and RTSP ALG if present)
4. Click OK to save, then reboot the router

Via Telnet or Web Console (alternative method — works on all DrayOS firmware versions):

sys sip_alg 0
sys commit
sys reboot

MikroTik (RouterOS 7.x)

Via WinBox or WebFig:

1. Navigate to IP → Firewall
2. Click the Service Ports tab
3. Select the sip entry and click the red X (disable) button
4. Also disable the h323 entry — it's a related VoIP helper that can cause similar issues
5. Reboot the router

Via Terminal:

/ip firewall service-port disable sip
/ip firewall service-port disable h323

Ubiquiti / UniFi

UniFi Network Application (8.x and newer):

1. Open the UniFi Network controller
2. Go to Settings → Routing → NAT
3. Scroll to Firewall Connection Tracking (Conntrack Modules)
4. Disable SIP and H.323
5. Click Apply Changes — the gateway will reprovision automatically

Via SSH (USG only — UDM and UDM-Pro should use the GUI method above):

configure
set system conntrack modules sip disable
commit
save
exit

Note: On USG devices, SSH changes revert on reprovision. To make the change persistent, add it to your config.gateway.json file. UniFi Network 9.0.114 and later disables SIP ALG by default.

TP-Link

Consumer routers (Archer series):

1. Log in to the router's web interface (default address is typically 192.168.0.1 or 192.168.1.1)
2. Navigate to Advanced → NAT Forwarding → ALG (on some older firmware this may be under Network → ALG Settings)
3. Untick SIP ALG
4. Click Save and reboot the router

Omada business routers (ER605, ER7206): In the Omada Controller, go to Settings → Transmission → NAT → ALG and disable SIP ALG. In standalone mode, the path is Transmission → NAT → ALG.

TP-Link Deco mesh systems: Open the Deco app, go to More → Advanced → NAT Forwarding → SIP ALG and disable it.

D-Link

1. Log in to the router's web interface (default address is typically 192.168.0.1)
2. Go to Advanced → Firewall Settings
3. Under Application Level Gateway (ALG) Configuration, untick SIP
4. Click Save and reboot the router

Billion BiPAC

Common in Australian NBN and DSL environments (BiPAC 7800, 8700, 8900 series):

1. Log in to the router's web interface (default address is typically 192.168.1.254)
2. In the left-hand menu, navigate to Configuration → NAT → ALG
3. Untick SIP (and H.323 if present)
4. Click Apply and reboot the router

SonicWall

SonicWall calls its SIP ALG feature "SIP Transformations." To disable it:

1. Log in to the SonicWall management interface
2. Navigate to Network > VoIP > Settings (on SonicOS 6.5 and older, this is under Manage > VoIP)
3. Untick Enable SIP Transformations
4. Tick Enable Consistent NAT — this ensures VoIP devices behind NAT receive predictable port mappings
5. Click Accept or Save

Also recommended: increase the UDP timeout from the default 30 seconds to at least 120 seconds. You can do this globally under Network > Firewall > Flood Protection > UDP tab, or per-rule on the LAN to WAN access rule's Advanced tab.

Sophos XG / XGS

Sophos does not expose a SIP ALG toggle in the web GUI — it must be disabled via the CLI.

1. Log in to the CLI via SSH, Telnet, or the built-in console (Admin > Console in the top-right of the web admin)
2. Run the following command to disable the SIP module:

system system_modules sip unload

To verify the current status:

system system_modules show

Note: The SIP module is enabled by default. Sophos also has a default UDP timeout of 60 seconds, which is often too low for reliable VoIP — consider increasing it if you experience registration dropouts.

Palo Alto

Palo Alto firewalls allow you to disable SIP ALG per-application without disabling App-ID or threat detection:

1. Log in to the web interface
2. Navigate to Objects > Applications
3. Search for sip and click on the SIP application
4. In the application details, look at the Options section (bottom-right)
5. Click Customize
6. Tick Disable ALG
7. Click OK, then Commit the configuration

This is a device-wide setting and is not configurable per-policy or via Panorama. Disabling the ALG does not affect App-ID identification or threat inspection — it only stops the firewall from rewriting SIP packet contents.

Netgear

1. Log in to the router's web interface (default address is 192.168.0.1 or routerlogin.net, username admin)
2. Click Advanced, then Setup, then WAN Setup
3. Tick the checkbox labelled Disable SIP ALG
4. Click Apply

Note: SIP ALG is enabled by default on Netgear routers. Some older models or firmware versions may not show this option — if it's missing, update the firmware first. Some Orbi mesh models (including the RBR750 and RBR50v2) do not expose the SIP ALG toggle at all — contact Netgear support if you're unable to find the setting.

pfSense / OPNsense

Neither pfSense nor OPNsense has a built-in SIP ALG — there is nothing to disable. If you're experiencing VoIP issues behind one of these firewalls, the cause is typically NAT-related. Check the following:

1. Switch to Manual Outbound NAT and enable Static Port on your outbound NAT rule for UDP traffic from VoIP devices — this prevents the firewall from randomising source ports
2. Under System > Advanced > Firewall & NAT, set Firewall Optimization Options to Conservative — this increases state table timeouts, which helps keep SIP registrations alive
3. Do not install the siproxd package unless you have a specific reason — it acts as a SIP proxy and can introduce the same problems as SIP ALG on other routers

ASUS

1. Log in to the router's web interface (default address is typically 192.168.1.1 or router.asus.com)
2. In the left-hand menu under Advanced Settings, click WAN
3. Click the NAT Passthrough tab across the top
4. Set SIP Passthrough to Disable
5. Click Apply

Reboot your VoIP phones afterwards (or wait for their next registration cycle) so they pick up the updated NAT table.

Telstra Smart Modem (Gen 2 / Gen 3)

The Telstra Smart Modem does not provide an option to disable SIP ALG through its web interface. If you're running a VoIP phone system behind a Telstra Smart Modem and experiencing SIP ALG symptoms, you have two options:

1. Bridge mode — Go to Advanced > Local Network, scroll to Network Mode, and switch to Bridge Mode. This disables the modem's routing (and SIP ALG) entirely, passing the raw connection through to your own router or firewall. Note: bridge mode also disables the modem's Wi-Fi, 4G backup, and Telstra's remote diagnostics.
2. Replace the modem — Use the Telstra Smart Modem purely as an NBN NTD connection and place your own router (with SIP ALG disabled) behind it, or replace it entirely with a third-party modem if your NBN connection type allows it.

If you're unsure which approach suits your setup, contact our team — we help businesses work around this limitation regularly.