An Application Layer Gateway (ALG) is a security service or filter included in many network firewall and routers. It is intended to handle application-level routing, filtering, and NAT traversal of various services used in internetworking today.
Purpose of an SIP ALG
ALGs perform a few optional services on the network edge:
- NAT traversal for applications that are not NAT-aware
- Session control for specific applications that require certain ports to remain open
- Policy-based routing and redirection, and traffic redirection for specific applications
- Granular control of application functions, commands, and features
Understanding SIP ALGs
ALGs typically reside at the edge router and use Stateful or Deep Packet Inspection in order to detect and then subsequently modify their target data. ALGs perform a function similar to transparent proxies.
Identifying an SIP ALG on a Network Firewall or Router
SIP ALGs are labeled with a variety of naming conventions including:
- SIP Inspection
- SIP Fixup
- SIP Inspect Service
- SIP Pass-Through
- SIP Transformations
- SIP Cleanup
- SIP Helper
- Voice Filtering Rules
Most network firewalls and routers have SIP ALGs enabled by default. More often times than not, SIP ALG controls/settings are hidden and are often seen on hidden or 'advanced' configuration menus. Sometimes, particularly with certain Cisco devices, SIP ALGs are not exposed on the web management portal of the firewall/router but within the command line interface (if equipped). Review your firewall/router vendor's documentation to determine if a SIP ALG is present, if it is enabled by default, and if it can be disabled. In other cases such as rented or managed equipment from your ISP, the end-customer may not have the ability to disable the SIP ALG without a support call to their ISP's help desk.
Symptoms of an SIP ALG Causing VoIP Call Problems
An ALG that is not compatible with the Barracuda Phone System can cause a wide range of issues for both inbound and outbound calls. The most common symptoms can include, but are not limited to:
- One-way ability to originate or terminate calls (e.g., can place an outbound call but cannot receive and inbound call).
- One-way audio for whole calls or during specific portions of calls in either direction (e.g., outbound or inbound).
- Particular portions of SIP signaling messages that are missing or contain incorrect information.
- Apparently successful calls to/from remote phones and/or SIP providers and that are from/to the Barracuda Phone System but result in sudden drops less than one minute after the call was established.
Typically, signaling and/or audio problems appear where:
- Calls from phones that must traverse a NAT router to terminate at the Barracuda Phone System.
- Calls that are originated from the Barracuda Phone System to remote phones that are registered outside of the LAN.
Recommended SIP ALG Configuration on Edge Routers
The Barracuda Phone System is designed with NAT traversal in mind, and in most instances, handles the same functions as an SIP ALG more effectively without an external filtering server/service in place. In almost all known instances, it is recommended that you disable any SIP ALGs.