Troubleshooting Firewalls to work with SIP trunking

Posted on December 9, 2014 by

Your firewall is a threat to the quality of your voice calls. I know that’s a jarring statement. You need a firewall, and you need high-quality SIP trunking. And this disparity gets even more weird when you consider that the reason your router or firewall can be bad for your calls is a solution setup to help calls get through. Yep, the best way to troubleshoot your firewall for SIP trunking issues is to troubleshoot the troubleshooting. Let me explain.

Troubleshooting-SIP ALG

How NATing gets in the way:

Most likely, all of the endpoints in your network connect to the Internet through a central router. That router has an IP address assigned by your Internet Service Provider. So when each endpoint is communicating with the Internet, it does so through that IP address, and the router assigns an internal address to each device so it knows where to send the information coming back in. It’s called Network Address Translation (NAT). NAT works great for one way communications like Internet searches or email delivery, but for real-time two-way connections like SIP trunking, it causes problems.

SIP trunking establishes communications between two parties by delivering the parameters for the connection, such as the IP address where call audio should be sent. A problem arises when the called party receives the internal IP address of the endpoint placing the call, because an internal private IP address is by definition not routable on the the public internet. So when the communication is sent back from the other end it can’t decide where to go. When that happens, the person you’re calling can hear you, but you can’t hear them. One-way audio… frustration.

How SIP ALG doesn’t help:

SIP Application-level gateway (ALG) comes enabled by default on many routers. It’s meant to alter SIP packets by reaching into the connection information, pulling out the private address and dropping your public address in it’s place, then when the other end sends communications back to the public address, your router forwards the communication along to the private address. It’s a process commonly referred to as ‘packet mangling’.

But, there’s a problem with SIP ALG. As VoIP-Info describes it, “The main problem is the poor implementation at SIP protocol level of most commercial routers.” And then, says VoIP-Info, there’s the fact that when you look at how it works, SIP ALG is only helpful for outgoing calls, not so much incoming calls. That’s because when endpoints REGISTER with the SIP proxy, the proxy needs to send keep-alives to maintain the connection, but those keep-alives are only sent if the endpoint is NATed. SIP ALG rewrites the request so that the proxy can’t detect the NATing, and the registration is lost.

SIP ALG also has a habit of breaking SIP signaling. The SIP ALG in many commercial routers modifies SIP headers incorrectly. When the private IP address assigned to the endpoint is replaced with the public IP, the router needs to maintain a record of which private IP and port the returning communication needs to be directed back toward. Often the broken implementations will fail to create or maintain this record for the two streams of communication needed for a SIP call, the signaling and the media, resulting in call drops or one way audio. And sometimes an ALG will write the wrong ports into signaling, so that the return communications do end up somewhere, but it’s the wrong somewhere. One-way audio, dropped calls… frustration.

Shooting the trouble:

When a SIP ALG works as intended, we don’t seem to hear about it. In fact, here at Flowroute our office router has an active ALG that works correctly so we don’t have any issues. But when customers experience dropped calls and/or one way audio, more often than not, SIP ALG is the culprit. There are two cures we recommend that resolve the issues 99.99% of the time.

Disable SIP ALG:
When users disable SIP ALG, the issues almost always vanish. Different routers will have different settings configurations, but you’ll need to log into the router configuration interface and deactivate SIP ALG. There should be an easy toggle to switch off. VoIP-Info has assembled a fairly comprehensive list of routers and guides that walk you through the SIP ALG disabling process.

Bypass SIP ALG:
If you’re unable to disable your SIP ALG, there is a workaround. Some ALGs only look for SIP signaling on the default port, 5060. We allow customers to use 5160 as an alternate port, which would bypass a broken SIP ALG.