As part of our overall Network Engineering policy and best practices to
insure network performance, VoIPZone does not support
"SIP Fix up"/ALGs (Application-level gateway) settings for hosted
services. Routers with these settings can consume an inordinate amount
of network resources, specifically in the Session Border Control (SBC)
equipment in the core, and can cause other problems that can impact
service to the end user.
We are issuing this technical advisory to remind customers of this
policy, and to alert them that in early 2010, CP has scheduled network
upgrades, including upgrades to the SBC's, that will cause problems on
inbound calls if customer routers have the non-supported SIP Fixup/ALG
(For example, the upgrades will include "Dynamic HNT" and default
re-registration timer for non-NAT'd endpoints adjusted from one (1)
minute to 30 minutes. The non-supported configuration essentially
'fools' the SBC into thinking the endpoint is a non-rated device and as
such, its registration interval will be set to a value of 30 minutes,
which is too high to maintain the firewall pin-hole. As a result,
customers will experience problems receiving inbound calls.)
At this time, VoIPZone would like to advise customers to make sure that premise
routers do not have "SIP Fixup" (or equivalent) enabled. Because not
all routers support this setting and may be named differently depending
on the make and model of your device, we suggest you refer to your
router documentation or contact your vendor.
For Cisco Routers
On Cisco devices it is referred to as "SIP Fixup" and it is enabled by
default on both routers and PIX devices. Because this is a default
setting, no indication of it being "on" or "off" is visible in the
configuration. To disable SIP Fixup on the following identified devices
you must issue the following commands:
no ip nat service sip tcp port 5060
no ip nat service sip udp port 5060
For Pix Devices
no fixup protocol sip 5060
no fixup protocol sip udp 5060
For Adtran Routers
no ip firewall alg sip
For ASA Firewalls
Go to policy-map global_policy > class inspection_default and enter:
no inspect sip
For Sonic Routers
Uncheck box "Use SIP Header Transformation"
Enable consistent NAT
Additionally, when you set the Global Default UDP timeout value on a
SonicWALL firewall, you still MUST fix the pre-existing rules'
individual UDP timeout values. New rules will inherit the Global
Default. Since 30 seconds is no longer a sufficient UDP timeout as it
once was (to allow for the UDP heartbeat sessions to keep-alive from the
phones to the border manager), we must increase the UDP timeout to the
suggested 300 seconds Globally on the firewall, AND the specific
out-bound firewall rule (or default rule as the case maybe) to the UDP
timeout of 300 seconds.
For Fortinet Routers
From CLI interface, type the following commands:
config system session-helper
show system session-helper (look for the session instance that
refers to SIP, should be #12)
delete 12 ***** example only, be sure to select the
corresponding number to be deleted *****
Confirm deletion of session-helper entry by running the "show system
session-helper" command again. #12 will be there because #13 moved up in
rank, but no reference to SIP or port 5060 noted.
Configuring the Linksys BEFSR41 router:
1. From the ADMIN page of the router navigate to [APPLICATIONS &
GAMING] > [PORT TRIGGERING]
2. Enter [TCP] as the application.
3. Enter  into the Start Port and End Port for both the
Triggering and Forwarded Ranges
4. Check the Enable box.
5. Save Settings and reboot VOIP Telephone.
For all other brands, refer to your documentation or contact your
. Many ALG's including Cisco have bugs which cause call flow and
. Some ALG's including Cisco intermittently miss some packets
(do not perform fixup) or in the case of fragmented packets, do not even
examine and change headers
. When ALG is enabled, CP SBC's determine the endpoints are
publicly addressed and therefore do not need frequent registration
refreshes to keep firewall port open between SBC and endpoint
o In this case the customers firewall can close the port between the
VoIPZone SBC and endpoint causing inability to receive incoming calls
Please note that publicly addressed endpoints are assumed to have no
firewall between them and the VoIPZone SBC, therefore only one registration
refresh per hour (3600 seconds) is needed since there is no firewall or
session to refresh and keep open.
In addition to ALG and SIP-fixup issues, VoIPZone Engineering has identified
another issue with the Eyebeam soft client. By default the Eyebeam soft
client detects a global IP address (public IP address) and uses that for
SIP signaling. This causes the VoIPZone SBC to mis-detect the soft client as
a publicly addressed endpoint and not treat it as a HNT (hosted NAT
traversal) endpoint. This will cause registration/firewall pinhole
issues and the inability of the soft client to receive incoming calls.
A simple configuration fix addresses this issue. Under options,
topology, ensure that under "Firewall Traversal", "Use local IP address"
Make sure to enable "Use local IP address" and uncheck "Enable ICE"
Make sure both "Advanced Options" are NOT checked.
Additional ALG information and settings can be found at the following