99.8% of the time we recommend turning SIP ALG off, the exception to this is if you are using an actual SBC (Session Border Controller).
SIP ALG stands for Application Layer Gateway. You will find it on many commercial and residential Firewalls, Routers, or Modems. It is a NAT tool that inspects SIP Messages and transforms the Private IP addresses and Ports to Public IP Addresses and Ports.
SIP ALG was built as a tool when Hosted PBX's didn't have a great NAT solution. To this day some still do not understand NAT. Our system fully understand NAT and prefers the use of private IP addresses in SIP Messaging opposed to the Public IP Address. The message is delivered back to the Public IP Address and Port from which it was received.
Secondly, many commercial Firewalls and Modems do not fully understand SIP and SIP Routing. The replacement of the private IP is done via Scripting, which can also eliminate critical parts of the SIP message. They also commonly have problems with their own internal NAT Routing Table for the messages they transformed, causing some SIP messages to be delivered to the wrong endpoint or not be delivered at all.
There are many Symptoms of SIP ALG, here are some of the most common symptoms we see.
There are some misconceptions, as SIP ALG is only a NAT tool it does NOT effect the following:
Although, SIP ALG usually causes problems right away, it can exist on your customers Network for months or years before being troublesome. This can be due to a firmware update or corruption of the file system on the routing device.
You can look in a SIP Trace from SkySwitch to easily determine if there is SIP ALG. This assumes you understand the difference between a public and private IP address. IF you see a Public IP address from your customer's phone in the Contact Header, or anywhere in the SDP Body, this is a very good indication there is SIP ALG.
The exception is if the phone itself has a Public IP address, or you are using another NAT Tool like STUN, TURN, or ICE. These tools are not necessary and we don't recommend their use. STUN, TURN, and ICE are things that you must configure, so it's likely they are not the problem.
In the following image, we can see this is an INVITE from a Polycom VVX 410. We see the Public IP Address 5 times in this SIP message, but it normal to see it in the 'Received packet from' and Via Headers (indicated by Green). It should NOT be seen in the Contact Header or SDP body (Indicated by Red). 188.8.131.52 is a ficticious Public IP Address.
It is easy to detect of SIP ALG is there, but not always so easy to turn it off. Here are some tips...