Q on VoIPo SIP outbound vs. router

[holmes4]

Can you turn ALG off? This is often recommended.

[stevech]

Can you turn ALG off? This is often recommended.

Yes, I can turn ALG/SIP off, and a list of others such as MMS, IPsec, PPTP, and RTSP. The latter is used by VoIP for the bearer traffic, right?

Is the purpose of router-based ALG to avoid the need to do explicit port-forwarding or "triggered" forwarding, etc? I don't know.

[voipinit]

VOIPo is sending keep alive packets to keep customers routers ports from closing. Your router settings are set not to reply (permit an outbound packet) to an inbound packet request that is only a single packet reply to a solicitation (similar to blocking WAN ping requests). If you are not having registration issues or call quality issues, I wouldn't worry about it and keep your current configuration.

[stevech]

Your router settings are set not to reply (permit an outbound packet) to an inbound packet request that is only a single packet reply to a solicitation (similar to blocking WAN ping requests).

What setting would prohibit a reply initiated by the ATA?

[voipinit]

I'll tell you what I know:

To answer your question it is most likely SIP ALG but I don't know your other options either configurable or not configurable (if any) regarding the routers firewall.

SIP ALG is supposed to do 3 things (few commercial routers do this well - most don't):

Open the appropriate ports for VOIP traffic.
Check VOIP packets to ensure it complies with SIP protocols.
Allow auditing by producing log messages.

My guess:
It appears your router SIP ALG is accepting the incoming keep alive from VOIPo like it should since it is valid VOIP traffic, but is not accepting your ATA's reply (and thus generates a log message). This could be from SIP ALG not recognizing the ATA's reply as VOIP traffic or it not complying with the routers SIP ALG algorithm violating the SIP protocol (either correctly or incorrectly).

[stevech]

I'll tell you what I know:

To answer your question it is most likely SIP ALG but I don't know your other options either configurable or not configurable (if any) regarding the routers firewall.

SIP ALG is supposed to do 3 things (few commercial routers do this well - most don't):

Open the appropriate ports for VOIP traffic.
Check VOIP packets to ensure it complies with SIP protocols.
Allow auditing by producing log messages.

My guess:
It appears your router SIP ALG is accepting the incoming keep alive from VOIPo like it should since it is valid VOIP traffic, but is not accepting your ATA's reply (and thus generates a log message). This could be from SIP ALG not recognizing the ATA's reply as VOIP traffic or it not complying with the routers SIP ALG algorithm violating the SIP protocol (either correctly or incorrectly).

re your last paragraph: I suspect that too- that the Grandstream is generating a packet that the router's ALG outgoing cannot validate. It sees that it's SIP, but something else is invalid.
I don't think this is related to the incoming from the various VoIOo partner servers - the router is normally set to drop these and not forward, since they serve no purpose in my router. And when I did put the ATA in the DMZ where the incoming are accepted, it made no difference- the outgoing packets from the Grandstream are rejected by the ALG none the less.

I will check again with VoIPo tech support. I believe that the Grandstream's attempts at outgoing SIP may be registration or keep-alive notices. Last ticket I filed was due to loss of service. VoIPo noted that my ATA wasn't being provisioned. They didn't say why but did the usual hail-mary fix: Upgrade the ATA's firmware version and hope.

[voipinit]

What may be happening is the keep alive packet has your local LAN IP as the return IP . Local LAN IP's are not routable, so your router correctly rejects it. This process appears to be working as designed.