Why is SIP ALG an issue with VoIP phones?

How can it affect VoIP?

Even though SIP ALG is intended to assist users who have phones on private IP addresses, in many cases it is implemented poorly and causes more problems than it solves. SIP ALG modifies SIP packets in unexpected ways, corrupting them and making them unreadable. This can give you unexpected behavior, such as phones not registering and incoming calls failing.

Therefore, BEFORE you are experiencing problems, we recommend that you check your router settings and turn SIP ALG off if it is enabled.

Why will SIP ALG affect my phones and faxes?

SIP ALG modifies voice and fax packets to make them appear as if they have a public IP address and are not behind a firewall.  The setting was first designed for old VoIP phone systems that could not work behind a firewall (NAT).

Modern VoIP phone systems like Keyvoice.net Business Class VoIP are designed to work with phones and fax adapters that are behind firewalls.  This is done to protect you from hackers hijacking your phone equipment and making fraudulent long distance and
international calls that run up your bill. No port forwarding.

The problem with SIP ALG occurs when our VoIP servers send voice and fax data back to your network.  Your router does not know which phone/fax device to send the data back to because SIP ALG removed the private IP address of the phone from the voice/fax packets.  This makes the router unable to keep track of which phone or fax device first sent the VoIP packet.

What issues will SIP ALG cause?

• One-way audio when first picking up a phone call.
• Dead air/dropped calls when first picking up a phone call.
• Transferring calls fail.
• Unable to put a call on hold or park on phones.
• Unable to retrieve a call off hold or park.
• Inbound faxes to a fax machine failing at the start of a fax.
• 1 phone in a ring group not ringing.
• Only 1 phone in a ring group with multiple phones is ringing.

Update as of 2022 with Comcast and other Cable internet subscribers.

• Comcast and other cable home and Business internet subscribers have a new feature that has been implemented without notice or explanation of a feature called “Security Edge” for Comcast and “Security Shield” with Spectrum. Note, these names of the feature sometimes change if they are on a home or business subscription but in most cases are listed on your internet invoice/bill in the internet section.
• In the case of Comcast “Security Edge”, this feature is a DNS redirect via a router inside the supplied Comcast modem that does not allow the flow of data to and from your data equipment without interpreting the data as allowed or not. This choice is automatically made without notice, you have no way to manage the feature and it will cause the Voice data (VoIP) to be blocked or redirected in the outbound or inbound path. Most times the interruption of the data will take time (sorry, no fixed time frame) for the feature to gather data to make a choice to interfere or manage the data flow.
• The only current solution is to notify Comcast to permanently remove the feature from your subscription. Asking them to turn the feature off only works for a time frame or until the next time the cable modem/router device from Comcast is rebooted. Then the feature is automatically turned back on.