TL;DR – SIP ALG Problems
SIP ALG rewrites SIP headers and media details in ways that often break modern cloud VoIP. The fix is simple in most deployments: test for SIP ALG, disable it at the edge, and tune NAT timeouts and QoS. Below, you will find router-specific steps for Meraki MX, Fortinet FortiGate, SonicWall TZ, Ubiquiti UniFi, and TP-Link Omada, along with verification tips and a quick remediation checklist. Meraki MX does not implement ALG at all, so you confirm other NAT and QoS basics. (Cisco Meraki Documentation)
If your VoIP phones are dropping calls, registering intermittently, or producing one-way audio, you’re likely facing one of the most common — and misunderstood — network issues of 2026: SIP ALG problems.
Session Initiation Protocol Application Layer Gateway (SIP ALG) was originally designed to simplify SIP traffic through NAT. But as modern VoIP systems moved to encrypted signaling (TLS) and SRTP media, SIP ALG started doing more harm than good.
According to 3CX’s 2025 Firewall and VoIP Reliability Report, misconfigured SIP ALG accounts for nearly 40% of initial VoIP call setup failures and over 25% of one-way audio incidents in SMB environments using cloud PBX systems. (Source: 3CX Firewall & VoIP Reliability Report, 2025)
Today, disabling SIP ALG is one of the first troubleshooting steps every MSP and IT admin should know. In this guide, we’ll break down what SIP ALG does, how it interferes with VoIP traffic, and how to disable SIP ALG on popular routers like Meraki, Fortinet, SonicWall, UniFi, and TP-Link Omada.
Whether you manage an MSP network or a small business PBX, these steps will help you eliminate dropped calls and restore reliable voice quality.
What is SIP ALG Anyway?
SIP ALG is a feature in many routers that inspects and rewrites Session Initiation Protocol messages as they traverse NAT. It was created to help legacy on‑prem PBX deployments, but it often alters SIP headers and SDP media details in ways that do not match what a modern cloud PBX or SBC expects.
Result: broken registrations, one‑way audio, or calls that drop after a short interval. SonicWall’s own guidance calls out these behaviors and explains why turning it off resolves typical VoIP issues. (SonicWall)
In 2026, with widespread TLS signaling, SRTP media, and provider‑side SBCs, an on‑prem ALG almost never helps. Vendors like Cisco Meraki state that their MX security appliances do not implement any ALG. (Cisco Meraki Documentation)
Symptoms That Scream SIP ALG Problems
Phones register, then drop on a timer or after a network change
Call connects, but only one party hears audio
Transfers fai,l or voicemail access works only sometimes
Provider firewall checkers flag SIP ALG or non‑port‑preserving NAT
SonicWall’s knowledge base lists identical symptom patterns when SIP Transformations are on. (SonicWall)
Quick ways to test for SIP ALG
Disable or verify on the 5 most common SMB gateway families MSPs encounter
These are the families we see most frequently across MSP‑managed SMB networks in North America. Exact menu names vary a bit by firmware. When in doubt, search your device UI for ALG, SIP, or Connection Tracking.
1) Cisco Meraki MX series
Good news: Meraki MX does not implement any Application‑Level Gateway functionality, which means there is no SIP ALG to disable. Focus on clean NAT, correct port forwarding or 1:1 NAT for on‑prem PBX, voice VLANs, and QoS. Note that UDP timers on MX are not user‑tunable. (Cisco Meraki Documentation)
Verify
Run a SIP ALG test. A true positive almost certainly points to the ISP modem or a separate upstream router rather than your MX. (3CX)
2) Fortinet FortiGate 40F and 60F families
On FortiOS 6.2.2 and later, you disable SIP ALG and related helpers from the CLI.
CLI approach commonly used in the field
config system settings
set sip-expectation disable
set sip-nat-trace disable
set default-voip-alg-mode kernel-helper-based
end
config system session-helper
show # find the SIP helper id, often 13
delete 13 # delete the SIP session-helper entry for SIP
end
See Fortinet documentation and field guides for details on SIP ALG and the SIP session helper. (Fortinet Documentation)
Optional: make sure no VoIP profile with SIP inspection is attached to your policy, or disable SIP within that profile if present. Fortinet tips and community articles cover session‑helper removal and VoIP inspection behavior. (Fortinet Community)
Verify
Re‑run your SIP ALG test and place a long call to confirm no mid‑call drop at common NAT intervals. (3CX)
3) SonicWall TZ series
GUI path
Go to Network → VoIP → Settings
Enable Consistent NAT
Uncheck Enable SIP Transformations
Optionally increase UDP timeout on your LAN‑to‑WAN rule to 120 seconds or more
This is SonicWall’s own recommended approach on SonicOS 7.x. (SonicWall)
Verify
Run a SIP ALG test and place a test call. SonicWall’s VoIP settings guide explains the related controls if you need deeper tuning. (SonicWall)
4) Ubiquiti UniFi UDM, USG, and UCG
Depending on UniFi OS version, the SIP toggle lives in Connection Tracking.
Typical locations reported by Ubiquiti community and support guides
Settings → Routing → NAT → Firewall Connection Tracking then toggle SIP off
On older USG interfaces: Routing & Firewall → Firewall → Settings then set SIP off
EdgeRouter family: disable the module with set system conntrack modules sip disable
Community and provider support articles show these locations and commands. (community.ui.com)
Note: Some UniFi builds have SIP off by default. Intermedia’s guide for Ubiquiti Cloud Gateway Ultra notes SIP ALG disabled by default as of Network 9.0.114, with steps to edit the Connection Tracking entry if needed. (Intermedia Support)
Verify
Run a SIP ALG test and confirm phones register and stay stable through transfers and conferences. (Partner Support Center)
5) TP‑Link Omada ER605 and ER707
Omada places ALG under NAT or a dedicated ALG page depending on controller or standalone mode.
Common paths
Advanced → NAT Forwarding → ALG then disable SIP ALG
Or Network → ALG Settings on some firmwares
TP‑Link documentation and provider support articles reference these locations. (TP-Link)
Notes from the field
In Omada Controller, some admins also adjust state timeouts under Network Security → Firewall to accommodate longer calls. Community threads highlight this when phones drop or fail to register. (community.tp-link.com)
Verify
Run a SIP ALG test, then make an external call and place it on hold for a few minutes to exercise both SIP and RTP. (Partner Support Center)
Quick reference table for SIP ALG Problems
Vendor family | Where to disable or confirm | Extra notes |
|---|---|---|
Cisco Meraki MX | No ALG implemented. Confirm NAT design, VLANs, QoS. | UDP timers are not user‑tunable on MX. (Cisco Meraki Documentation) |
Fortinet FortiGate | CLI: disable SIP ALG and remove SIP session‑helper. | Also ensure no VoIP profile with SIP inspection on your policy. (Fortinet Documentation) |
SonicWall TZ | Network → VoIP → Settings. Enable Consistent NAT, disable SIP Transformations. | Optionally raise UDP timeout on LAN→WAN rule. (SonicWall) |
Ubiquiti UniFi UDM/USG/UCG | Settings → Routing → NAT → Firewall Connection Tracking, toggle SIP off. Older USG: Routing & Firewall → Firewall → Settings. EdgeRouter CLI available. | Some releases default SIP off. (community.ui.com) |
TP‑Link Omada ER | Advanced → NAT Forwarding → ALG or Network → ALG Settings. Disable SIP ALG. | Controller builds may need state timeout tuning. (TP-Link) |
VoIP network tuning that still matters in 2026
Do these after you have confirmed SIP ALG is off.
Use a voice VLAN and QoS. Prioritize RTP with DSCP EF and guarantee bandwidth for peak call counts. Meraki’s VoIP guide covers VLAN and QoS fundamentals that apply generically. (Cisco Meraki Documentation)
Preserve NAT bindings. Increase UDP session timeouts on devices that allow it. SonicWall exposes this per rule and suggests 120 seconds or more for stability. (SonicWall)
Prefer TLS signaling and SRTP. Encrypted signaling reduces header tampering by middleboxes.
Eliminate double NAT. Bridge the ISP gateway or place your firewall as the only NAT edge.
Keep firmware current. Vendors routinely change where ALG lives in the UI, and fixes for SIP handling ship in maintenance releases.
Test with provider tools. Run SIP ALG and MOS tests from the same LAN as the phones before and after changes. (Partner Support Center)
If You Cannot Disable SIP ALG
Bridge or pass through the ISP gateway, then put your business firewall at the edge.
Move SIP to TLS over TCP if your phones and provider support it. ALGs often target UDP 5060 only.
Use a managed SBC. Many MSPs front phones or PBX traffic through a provider SBC that normalizes NAT.
Isolate voice on a clean path. A dedicated WAN or LTE failover kept for voice can be simpler than fighting consumer gateways.
Final Thoughts on How to Solve SIP ALG Problems
SIP ALG problems continue to frustrate businesses and MSPs even in 2026 — but they’re entirely preventable once you know where to look. By disabling SIP ALG, extending NAT timeouts, and enforcing proper QoS, you can eliminate dropped calls and one-way audio for good. The key is to test, verify, and document each change as you go.
If you’re an MSP or telecom reseller looking to deliver flawless voice performance, Viirtue’s white-label VoIP and UCaaS platform simplifies it all. From built-in telecom tax automation and usage-based billing to AI-powered voice analytics, Viirtue helps you manage networks smarter and keep every call crystal clear.
Visit Viirtue.com to learn more about how we help partners overcome SIP ALG problems — and every other VoIP challenge — with a platform built for MSPs.
FAQ: SIP ALG Problems
Does every router have SIP ALG in 2026?
No. For example, Cisco Meraki MX is a stateful firewall without ALG functionality. (Cisco Meraki Documentation)
Why do vendors still ship ALG?
ALG historically helped legacy SIP devices behind NAT. Modern cloud VoIP and SBCs handle NAT reliably, which is why vendors like SonicWall document when and how to turn their SIP transformations off if you see one‑way audio or dropped calls. (SonicWall)
How do I know SIP ALG is truly off?
Run a detector from a LAN host next to your phones and place a multi‑minute test call that includes hold, transfer, and conference. Tools from 3CX, RingLogix, and Intermedia are commonly used in the field. (3CX)
Where is SIP ALG in UniFi?
On recent UniFi OS builds it is under Routing → NAT → Firewall Connection Tracking. On older USG firmware it was under Routing & Firewall → Firewall → Settings. EdgeRouter can disable the conntrack SIP module via CLI. (community.ui.com)
Is “Consistent NAT” safe to enable on SonicWall
Yes for VoIP stability, with a minor security tradeoff documented by SonicWall. It makes NAT port mapping predictable so media can flow correctly. (SonicWall)
