Glossary · SIP ALG
What is SIP ALG?
SIP ALG (Session Initiation Protocol Application Layer Gateway) is a feature built into many consumer and business routers that inspects SIP signalling traffic as it crosses NAT and rewrites the IP addresses and ports inside the packets to match the router’s public address. It was designed to help SIP calls traverse NAT — but in practice it frequently corrupts the very packets it tries to fix, making it one of the most common hidden causes of dropped calls, failed registrations, and one-way audio on business VoIP systems.
How SIP ALG works
SIP carries IP addresses and port numbers inside the message body (the SDP payload), not just in the packet headers. When a phone behind a private network sends a SIP message, those embedded addresses point to internal, non-routable IPs that the outside world cannot reach.
NAT rewrites the packet header, but a basic NAT device does not touch the SIP payload. SIP ALG was created to close that gap: it reads the SIP and SDP contents, then rewrites the embedded addresses and ports to the router’s public values so the far end knows where to send signalling and media.
In principle this is helpful. In practice, ALG implementations vary widely in quality, and many rewrite headers in ways a modern cloud PBX or SBC does not expect — breaking the call flow instead of fixing it.
Why SIP ALG causes problems
The symptoms are consistent and well documented across VoIP providers:
| Symptom | Typical cause under SIP ALG |
|---|---|
| One-way audio | ALG rewrites the SDP media port incorrectly, so RTP flows in only one direction |
| Dropped calls | Corrupted or mismatched headers break the session mid-call |
| Failed / intermittent registration | ALG mangles the Contact or Via header, so the server cannot reach the phone |
| Phone shows registered but no inbound calls | Public address in the rewritten Contact header does not match the live NAT mapping |
Modern VoIP has also moved past the problem ALG was meant to solve. Encrypted signalling (SIP over TLS) hides the payload from the router entirely, so the ALG cannot read or rewrite it, and media is increasingly carried over SRTP. Meanwhile, endpoints and SBCs now perform their own NAT traversal. That makes SIP ALG redundant at best and actively harmful at worst — which is why most providers recommend turning it off.
SIP ALG vs. modern NAT traversal
SIP ALG is a router-side, in-path rewrite. Modern VoIP instead solves NAT at the endpoint and the provider edge:
- Endpoint keep-alives: phones send periodic SIP messages to keep the NAT pinhole open, so the provider always has a valid path back.
- Symmetric SIP / RTP: the SBC ignores the addresses embedded in the payload and replies to the address the packet actually came from — defeating the problem ALG tried to patch.
- Far-end NAT traversal: the provider’s session border controller handles address translation centrally, so individual routers do not need to.
Because these mechanisms work whether or not the payload is encrypted, the standard guidance is the same across the industry: disable SIP ALG at the router and let the endpoints and SBC manage NAT.
Where SIP ALG matters for business phone
For a business running cloud telephony, SIP ALG is usually the first thing to check when calls behave strangely on a specific site. The setting is normally found in the router under NAT or firewall options, sometimes labelled “SIP ALG” or “SIP Passthrough,” and toggling it off resolves a large share of registration and audio complaints.
It is a per-site issue: one branch on a router with an aggressive ALG can suffer while every other location works perfectly, which makes it easy to misdiagnose as a provider fault. Confirming the router model and ALG state early saves hours of troubleshooting.
SIP ALG frequently asked questions
What does SIP ALG mean?
SIP ALG stands for Session Initiation Protocol Application Layer Gateway. It is a router feature that inspects SIP signalling crossing NAT and rewrites the IP addresses and ports inside the packets to match the router’s public address.
It was intended to help VoIP calls traverse NAT, but poor implementations often corrupt the packets instead, which is why most VoIP providers recommend disabling it.
Why should I disable SIP ALG?
Many router ALG implementations rewrite SIP and SDP headers in ways a modern cloud PBX or SBC does not expect, causing dropped calls, failed registrations, and one-way audio.
Modern endpoints and session border controllers handle NAT traversal themselves, so SIP ALG is usually redundant. Disabling it removes the in-path rewriting that breaks calls.
Does SIP ALG cause one-way audio?
Yes. One-way audio is a classic SIP ALG symptom. It happens when the ALG rewrites the media (RTP) port information in the SDP payload incorrectly, so the audio stream only flows in one direction while signalling still appears to work.
How do I disable SIP ALG on my router?
The setting is usually under the router’s NAT or firewall configuration, sometimes labelled “SIP ALG” or “SIP Passthrough.” Disable or uncheck it, then reboot the router and re-register the phones. The exact location varies by router brand, so check the model’s admin interface or vendor documentation.
Does SIP ALG affect encrypted SIP traffic?
When SIP signalling is encrypted with TLS, the router’s ALG cannot read the payload, so it cannot rewrite the embedded addresses. This makes SIP ALG redundant for encrypted VoIP and is part of why modern deployments rely on endpoint and SBC-based NAT traversal instead.
See how DialPhone fits
DialPhone’s business phone relies on provider-side SBC NAT traversal and endpoint keep-alives rather than router rewriting, so calls stay stable across typical NAT setups. When a site hits one-way audio or registration drops, our standard first step is to check for and disable SIP ALG on the local router — after which the connection is managed cleanly end to end.