SIP ALG Explained
Most of today's routers implement SIP ALG (Application Layer Gateway) and come with the feature enabled by default.
While an ALG could help in solving NAT related problems, the fact is that most routers' ALG implementations are wrong and break SIP.
There are various solutions for SIP clients behind NAT; some of them client-side (STUN, TURN, ICE), and others server-side (Proxy RTP as RtpProxy, MediaProxy).
An ALG typically works in the client LAN router or gateway, but in some scenarios, some client-side solutions are not valid; for example, STUN with symmetrical NAT router.
If the server-side SIP proxy doesn't provide a server-side NAT solution, then an ALG solution could have a place.
An ALG is meant to understand the protocol used by the specific applications that it supports, and does a protocol packet-inspection of traffic through it.
A NAT router with a built-in SIP ALG can re-write information within the SIP messages (SIP headers and SDP body) making signalling and audio traffic between the client behind NAT and the SIP endpoint possible.
However, our voice service does employ a NAT compensation solution, therefore, SIP ALG should be disabled client-side.
SIP ALG Problems
The main problem is the poor implementation at the SIP protocol level of most routers, and the fact this technology is really only useful for outgoing calls, but not for incoming calls.
Lack of incoming calls
When a handset is powered up or softphone is started, it sends a REGISTER to the proxy in order to be localised and receive incoming calls. This REGISTER is modified by the ALG feature. If it wasn't, the user wouldn't be reachable by the proxy since it indicated a private IP in the REGISTER "Contact" header.
Common routers only hold the UDP "connection" open for a short while, eg 30-60 seconds, so after that time the port forwarding is ended and incoming packets are discarded by the router.
Many SIP proxies maintain the UDP keep-alive by sending OPTIONS or NOTIFY messages to the handset or softphone, but they only do it when the handset or softphone has been detected as NATed during the registration.
A SIP ALG router rewrites the REGISTER request so the proxy doesn't detect the NAT and doesn't maintain the keep-alive, so incoming calls will not be possible.
Breaking SIP signalling
Many routers with inbuilt SIP ALG modify the SIP headers and the SDP body incorrectly, breaking SIP and making communication almost impossible.
Some of them do a complete replacement by searching a private address in all SIP headers and bodies, replacing them with the router's public mapped address. For example, they replace the private address if it appears in the Call-ID header, which makes no sense at all.
Many SIP ALG routers corrupt the SIP message when writing into it. For example, they will often miss a semi-colon ; in the header parameters.
Writing incorrect port values greater than 65536 is also common in many of routers.
Disallows server-side solutions
Even if you don't need a client-side NAT solution, if your router has SIP ALG enabled and this breaks SIP signalling, it will make communication with our server-side SIP proxy impossible.
