Blacklist; Routers with known SIP Issues
Posted by Bob Russo on 06 November 2017 04:05 PM

Routers with known issues

updated 11/6/17

In working with various resellers and customer sites to implement SIP endpoints, ESI technical staff has come across routers that either will not support SIP or pose configuration settings that are not intuitive. In an effort to help our customers ensure their network devices provide the best service possible we are posting our findings on several modems, firewalls and routers, and continue to update this list as we find others with problems. This list is not a complete list, as we get reports from the field or through in house testing of devices that cause issues we will add them to the list. There are certainly devices in the market place that will cause problems that we have not yet run across so please do not use this list as a definitive guide and assume that any device not listed is therefore endorsed.

ALG setting are one of the biggest issues with routers and industry wide this is a problem. We are including an explanation that we found to be concise in explaining the problem from the VOIP-Info website.

(Excerpt from: 

Many of today's commercial routers implement SIP ALG (Application-level gateway), coming with this feature enabled by default. While ALG could help in solving NAT related problems, the fact is that many routers' ALG implementations are wrong and break SIP. 

The main problem is the poor implementation at SIP protocol level of most commercial routers and the fact that this technology is just useful for outgoing calls, but not for incoming calls:


  • Lack of incoming calls: When a UA is switched on it sends a REGISTER to the proxy in order to be localizable and receive incoming calls. This REGISTER is modified by the ALG feature (if not the user wouldn't be reachable by the proxy since it indicated a private IP in REGISTER "Contact" header). Common routers just maintain the UDP "connection" open for a while (30-60 seconds) so after that time the port forwarding is ended and incoming packets are discarded by the router. Many SIP proxies maintain the UDP keep-alive by sending OPTIONS or NOTIFY messages to the UA, but they just do it when the UA has been detected as natted during the registration. A SIP ALG router rewrites the REGISTER request so the proxy doesn't detect the NAT and doesn't maintain the keep-alive (so incoming calls will be not possible).


  • Breaking SIP signaling: Many of the actual common routers with inbuilt SIP ALG modify SIP headers and the SDP body incorrectly, breaking SIP and making communication just impossible. Some of them do a whole replacing by searching a private address in all SIP headers and body and replacing them with the router public mapped address (for example, replacing the private address if it appears in "Call-ID" header, which makes no sense at all). Many SIP ALG routers corrupt the SIP message when writing into it (i.e. missed semi-colon ";" in header parameters). Writing incorrect port values greater than 65536 is also common in many of these routers.


  • Disallows server side solutions: Even if you don't need a client side NAT solution (your SIP proxy gives you a server NAT solution), if your router has SIP ALG enabled that breaks SIP signaling, it will make communication with your proxy impossible.  


 (end of excerpt) 

In our working through customer/site issues we have found the following routers to have issues. This list should not be taken to be definitive, but only representative of devices our customers have actually had in place and the resolutions taken. Also to note is if a router/modem is running DOCSIS 2.0 vs 3.0, we have tried to note which modems are running the 2.0 version however manufactures are subject to changing firmware and the requirements that it will meet without notification. The older version does not support higher bandwidth usage that is required with multiple (usually greater than 4) calls.

The following devices are definitely problematic.  Please note the problems and corrections listed below each model.

  • Arris
    • modem/gateway running DOCSIS 2.0
      • Problems: These devices running DOCSIS 2.0 have limited bandwidth support; if more than four simultaneous calls are connected, it discards packets, causing audio issues.
      • Correction: Change to a modem running DOCSIS version 3.0 as it has greater bandwidth support.
  • Cisco
    • RV042
      • Problems: This firewall is known to intermittently allow phantom calls even when the port forwarding is locked down to a particular source address or range.
      • Correction: Change to a business class firewall with the necessary features.
  • Comcast
    • Home version with wireless
      • Problems: The home version with wireless gets used by Comcast to also support their open Wi-Fi network (Hotspot) and this can lead to over utilization and voice quality issues. It is reported that it can be disabled, instructions are here  If this does not work then a call to ComCast customer service is needed.
      • Correction: Change to Comcast business version.
  • Dlink
    • DIR-655
      • Problems: SIP ALG is enabled by default; the router stops passing the audio packets after 10 seconds of connection, reporting that the port is not available.
      • CorrectionChange to a business class firewall with the necessary features.
  • EdgeMarc 
    • EdgeMarc
      • Problems: EdgeMarc routers have problems supporting transfer, providing pass through when acting as proxy and the SIP ALG whether off or on (which requires separate licensing) does not function correctly. Older firmware versions have less problems than the newer.
      • CorrectionChange to a business class firewall with the necessary features.
  • Motorola
    • SBG-650
      • Problems: Usually leads to audio problems (used by Time Warner). The problem with this one is that under high utilization it starts buffering (or even freezing) packet output and there doesn't appear to be a way to set QOS to still allow RTP, so will eventually end up with voice quality issues.
      • Correction: Change to a business class firewall with the necessary features.
  • Netgear
    • CG3000DCR
      • Problems: SIP ALG is enabled by default and cannot be disabled, even by Comcast support.
      • Correction: Configure the modem to be in bridge mode (Comcast may need to do this) and use a business class firewall behind it to perform QOS functions.
  • Ubee
    • modem/router
      • Problems: frequently used by Time Warner; intermittently causes loss of audio.  Per a Time Warner engineer, there is a cache that crashes and then stops RTP from passing through.
      • Correction: Change to a modem with the necessary features.

The following routers are known to have SIP ALG enabled by default and can be disabled following the instructions listed below.  If additional makes/models are identified please let Tech Support know so the document can be updated.

  • Motorola - SBG6580 - (SurfBoard Extreme Wireless Cable Modem Gateway)
    No Registration possible behind NAT as the device changes Call-ID and causes the responses to be discarded by SIP clients/ATAs
    No Solution at this time (SIP ALG, called SIP Pass Through, can not be disabled) .
    Must disable NAT and put the device in bridge mode (check Mororola website for guide).
  • SpeedTouch - ST560 v6 (firmware >= comeswithSIPALG enabled by default.) NAT type: symmetrical
    Issues: No incoming calls. It replaces the private IP appearing in SIP headers with the public IP using a dumb text replacement. If for example the private IP appears in the "Call-ID" it replaces it too (that it's completely unnecessary).
    To disable SIP ALG:
    ~# telnet router
    -> connection unbind application=SIP port=5060
    -> save all
  • Zyxel - 660 family comeswithSIPALGenabed by default. NAT type: symmetrical
    No incoming calls.
    SIP protocol broken making 50% of outgoing calls impossible because the wrong values are inserted into SIP headers.
    To disable SIP ALG:
    ~# telnet router
    Menu option "24. System Maintenance".
    Menu option "8. Command Interpreter Mode".
    ip nat service sip active 0
  • Netgear - WGR614v9 Wireless-G Router, DGN2000 Wireless-N ADSL2+ Modem Router
    Firmware V1.0.18_8.0.9NA
    To disable SIP ALG: From Wan Setup Menu, NAT Filtering, uncheck the box next to "Disable SIP ALG"
  • SMC - ToDo - NAT type: No symmetrical
    The ALG doesn't replace the private address in "Call-ID" header (that is correct) but it does replace the "call-id" value in "Refer-To" header so SIP transfer is broken.
    To disable SIP ALG: ToDo no ALG related options found via web and telnet. No idea of how to disable it.
  • Linksys - WRV200, WRT610N. NAT type: Symmetrical
    The ALG replaces the private address in "Call-ID" header (not needed at all). Some phones (as Linksys with latest firmware) encode the "Call-ID" value in the "Refer-To" header (by escaping the dots) so the private IP appearing there is not replaced with the public IP. This causes that the call transfer fails since the proxy/PBX/endpoint will not recognize the dialog info.
    To disable SIP ALG on WRV200; no ALG related options found via web and telnet. No idea of how to disable it.
    To disable SIP ALG on WRT610N: Web Interface: Administration, Management, under side heading 'Advanced Features' SIP ALG, can be disabled.
  • Fortinet - All models come with SIP Helper enabled by default
    To disable SIP helper:
    ~# telnet firewall
    config system settings
    set sip-helper disable
    set sip-nat-trace disable
    config system session-helper
    show <---- use this to find out which entry is configured for typically 12 or 13
    delete 12
    For SIP Trunks
      *If using Virtual IPs under objects make sure to turn OFF NAT within each IPv4 rule for VoIP. If not using Virtual IPs under objects make sure to turn ON NAT under each IPv4 rule for VoIP.
    The preferred solution is to configure the SIP ALG. Policies that use the SIP ALG will not use SIP helper. Full documentation at then pick FortiOS for the version on your device, then VoIP solutions: SIP.
  • Cisco - 800 series To disable the NAT services for SIP in IOS, just run these commands:
    no ip nat service sip tcp port 5060
    no ip nat service sip udp port 5060
  • Juniper/Netscreen - SSG Series TodisableSIPALG:
    In the Web interface: Security -> ALG
  • Asus RT-AC66U - Firmware enables their SIP ALG by default, previously it was not possible to disable from the GUI interface. With the latest firmware (as of 3/15/16) there is now a way to disable via the interface, Asus refers to this as SIP Pass-through. Un-checking the box for the feature will disable it. Attached below is a screen capture of the GUI page.
  • Comcast DPC3939B - has ALG pre-installed and cannot be turned off.
  • Comcast Netgear Gateway Model CG3000 DCR -  will not allow customer to disable SIP ALG. The only true way to work around this is to place the CG3000 into bridge mode and then place a router/firewall behind it. *(note, we have seen sites that made this change and still encountered issues, suspicion is that it does not function in a true bridge mode. Some sites had to replace with a regular modem.)
  • Arris TG862G and TG862G-CT - SIP ALG is enabled and no way to disable. These are often used by Comcast as a Gateway.
  • AT&T Uverse Arris NVG589 - SIP ALG is enabled by default and cannot be disabled. By default it will not support hosted phones, AT&T may be able to open port 5060 for SIP traffic but it is reported to us it is not possible for user level admin to do so.
  • ACTIONTEC model GT784WNV - Frequently used by Verizon. The manual states that ALG is assigned automaticaly and there is no mention of a way to disable.
  • Verizon FiOS G1100 - This modem has SIP ALG enabled by default and Verizon has not provided a method to disable this feature. Verizon has also not released if it can be disabled by Verizon itself. Best recommendation at this time is not to use this modem. White page link


 asus_rt-ac66u.png.png (170.25 KB)
(30 votes)
This article was helpful
This article was not helpful

Comments (0)
Help Desk Software by Kayako