What Is SIP ALG and Why Should You Disable It? How Router SIP ALG Breaks VoIP Calls and Where to Turn It Off

If your VoIP phone calls are dropping, producing one-way audio, or failing to connect at all, there is a reasonable chance the problem is a single router setting: SIP ALG. This feature ships enabled by default on most consumer routers, is rarely mentioned in setup guides, and causes a disproportionate share of VoIP problems in home and small-business networks. Run a speed test first to rule out raw bandwidth as the culprit — if speeds look fine but calls don’t, SIP ALG is the next place to look.

What Is SIP ALG?

SIP ALG stands for Session Initiation Protocol Application Layer Gateway. SIP is the signaling protocol used by most VoIP systems — it handles call setup, teardown, and negotiation of media streams between endpoints. ALG refers to a category of router feature that inspects and modifies application-layer traffic as it passes through NAT.

SIP was designed in an era when NAT was less common. A SIP message includes IP addresses and port numbers embedded inside the payload itself — not just in the network headers — to tell the remote endpoint where to send audio. When a SIP packet travels through a NAT router, the router correctly rewrites the outer IP header but leaves the payload addresses alone. The remote endpoint sees a public IP in the header but a private IP (like 192.168.1.50) inside the message body, which causes the audio to route to a non-routable address and fail.

SIP ALG was created to solve this: it inspects SIP packets and rewrites the embedded addresses to match the public IP. In 2001, this was a reasonable idea. In 2026, it is almost universally harmful.

Why SIP ALG Breaks Modern VoIP

The core problem is that SIP ALG was designed for unencrypted SIP traffic over UDP. Modern VoIP providers — including RingCentral, Microsoft Teams Phone, Google Voice for Business, and virtually every cloud PBX sold today — encrypt their SIP signaling using TLS (Transport Layer Security). A router running SIP ALG cannot read the payload of an encrypted SIP packet. Instead of gracefully skipping it, most router implementations corrupt the packet, alter the port number incorrectly, or block it outright.

Even for unencrypted SIP, router vendors implemented SIP ALG inconsistently. Some implementations rewrite addresses incorrectly, changing port numbers in a way that mismatches the media negotiation. Others reset the contact header to the wrong value. The result is a set of symptoms that are difficult to diagnose:

• One-way audio: You can hear the other party but they cannot hear you, or vice versa. This happens because the SIP ALG correctly rewrites the signaling but incorrectly rewrites the RTP (audio) port addresses, causing media to route in only one direction.
• Dropped calls after 30–60 seconds: SIP sessions send periodic re-INVITE messages to keep the call alive. SIP ALG sometimes blocks these keepalives or rewrites them incorrectly, causing the remote PBX to terminate the session after a timeout.
• Failed registrations: Your VoIP adapter or softphone cannot register with the provider’s SIP server. SIP ALG modifies the REGISTER request in a way the server rejects.
• Intermittent connectivity: SIP ALG behavior can vary based on NAT table state, making problems appear randomly and disappear on router reboot — until the next call.

Modern VoIP providers handle NAT traversal themselves using STUN, TURN, and ICE protocols. They do not need a router to rewrite their SIP payloads. SIP ALG sits in the middle, intercepts traffic the provider already handles, and introduces errors.

How to Tell If SIP ALG Is Your Problem

The fastest diagnostic is to place a test call while connected directly to your modem (bypassing the router entirely). If the call works perfectly, the router is the problem and SIP ALG is the most likely cause. If the problem persists on a direct connection, the issue is upstream with your ISP or VoIP provider.

You can also check whether SIP ALG is enabled without a test call: log into your router’s admin interface and look in the NAT, Firewall, or Security settings for a setting labeled “SIP ALG,” “SIP Passthrough,” or “ALG.” If it is present and enabled, disable it regardless of whether you are currently experiencing problems — it is not providing any benefit on a modern network.

How to Disable SIP ALG by Router Brand

TP-Link (Archer and AX Series)

Log into the TP-Link admin panel at 192.168.0.1 (or tplinkwifi.net). Navigate to Advanced → NAT Forwarding → ALG. You will see a list of ALG options including SIP, H.323, and FTP. Toggle SIP ALG off. Click Save, then reboot your router. On newer Archer models running the updated firmware UI, the path may be Advanced → Security → ALG.

For TP-Link Deco mesh systems, open the Deco app, tap More → Advanced → NAT Forwarding, then disable SIP ALG. The Deco app is required; Deco systems do not expose a traditional browser admin page.

ASUS (RT and ZenWiFi Series)

Log into the ASUS admin panel at 192.168.1.1 (or router.asus.com). Go to Advanced Settings → WAN → NAT Passthrough. Find SIP Passthrough and set it to Disable. Click Apply. ASUS routers refer to SIP ALG as “SIP Passthrough” in their UI, but it is the same function. After applying, restart the router from Administration → Reboot.

Netgear (Nighthawk and Orbi Series)

Log into the Netgear admin panel at 192.168.0.1 (or routerlogin.net). Navigate to Advanced → Setup → WAN Setup. Look for the checkbox labeled Disable SIP ALG and check it. (Note: on Netgear, the checkbox disables SIP ALG when checked — the phrasing is the opposite of most other brands.) Click Apply and reboot. On Orbi mesh systems, the same path applies through the primary Orbi router’s browser interface.

eero (Amazon eero)

Amazon eero does not expose a SIP ALG toggle in its consumer app or web interface. eero uses a locked-down firmware model that does not provide access to individual ALG settings. The practical workaround is to put your eero in bridge mode and connect it to a router or firewall that provides proper SIP ALG control — such as a TP-Link Archer in router mode placed upstream. If you are running a standalone eero without an upstream router, contact eero support to confirm the current firmware behavior, as Amazon has adjusted their ALG implementation in response to VoIP complaints.

After Disabling SIP ALG: What Else to Check

Disabling SIP ALG resolves the majority of VoIP problems on consumer routers, but a few additional settings can help if issues persist. First, ensure your router’s NAT session timeout is set high enough for SIP — many routers default to a 30-second UDP timeout, which is shorter than SIP keepalive intervals. Look for a “UDP timeout” or “SIP timeout” setting and raise it to 120–300 seconds if available.

Second, if you are using QoS, add your VoIP adapter’s IP address to the high-priority queue. SIP signaling requires very low latency; even brief buffering during a congested download can cause a registration timeout. Our guide on setting up QoS on a home router covers this in detail.

Finally, if your VoIP provider supports it, enable SRTP and TLS for encrypted media. Encrypted VoIP is more resilient to NAT issues because it relies on provider-side TURN servers for relay rather than depending on the client’s public IP being correctly embedded in SIP payloads. With SIP ALG disabled and encrypted transport enabled, VoIP call quality on a home network should be reliable and consistent.