SIP ALG Problem

At the moment we change our analog telephonie to IP telephonie. I have create a proxy SIP-ALG policy.
After creating the policy the telephony works from external to internal but not from internal to external. The voice transmission does not work.
Is an error known during configuration with SIP-ALG?


  • No it is not.
    Please open a support incident so that a WG rep can help you get this working.

  • I have now created a policy with a packet filter instead of a SIP ALG.
    Now the telephony works.
    From: Phone Server
    TO: Any External
    Ports: I got from my provider

    @Bruce_Briggs what do you think about this configuration?

  • Many sites use policies with a port list instead of using a SIP-ALG policy.
    It depends on the IP phone system details as to which method is best.

  • According to my provider these always have difficulties with SIP ALG. This is a Swyx telephone system

  • Every VoIP provider I have encountered recommends a packet filter and disabling any SIP-ALG on the firewall.

    Gregg Hill

  • @GreggHill thanks for your post. What I find unfortunate is the Watchguard which describes that this should work without problems with a single SIP-ALG proxy.

  • Hi Daniel,

    as I can see we are in the same boat.

    We also had to setup a Swyx behind a Firebox. After spending endless hours in trying to get the SIP-ALG running without problem, we dropped it altogether and used packet filters instead.

    Sometimes it worked and sometimes voice was missing in one direction.

  • Hi @offbyone ,
    thanks for your post. Yes I think so.
    Now I will let the configuration with packte filters when you say you have the same problem with Swyx.

  • Hi Daniel.

    Just for the record. We are not sure if the Swyx itself is the problem. It could also be the telephone carrier or a combination of both.

    Most important thing if you try to get the SIP-ALG running is that you disable STUN on the PBX as it interferes with SIP-ALG.

  • Hi @offbyone thanks for your porst. I have disable STUN on the PBX but it still doenst work. I've now built a packet filter where the ports of my provider are containend an released to externally without SIP. Now it works.

    But I had the last time the problem that the voice transmission didn't work anymore. I usually took the port policy any. Then the voice transmission went again. After that I changed the ports back to those of my provider and it was still ok. Can someone tell me what the problem is or was?

  • Hi guys,
    I get nothing to run or at least no voice. Does anyone have their packet filters for me as an example? That would be really great. Thanks in advance!

  • Hi @stefan_petershofer ,

    Sure. Can you tell me your service provider? Becaus its always different.

  • Swyx itself, normally we would use Vodafone, but they had delivered the wrong connection (some pseudo ISDN adaption). So we decided to rent some trunks at Swyx. Between the Watchguard and the Internet (Vodafone) there is a Fritz!Box, but the Watchguard is configured as Exposed Host. So I guess this should be not the problem. I can call from the in- and outside. But no voice is going through.

    I owe you some beer for this :)

  • Ok I understand the problem. What it happens if you allow all ports did you have try that?

  • @Daniel_P30 said:
    Ok I understand the problem. What it happens if you allow all ports did you have try that?

    Not today, but I will now. Will come back after trying this.

  • @Daniel_P30 said:
    Ok I understand the problem. What it happens if you allow all ports did you have try that?

    So, I´ve tried but won´t get it to work (the TCP/UDP Proxy, right?), there´s either no port open from the outside. So I activated my rules (packet filters) again. I´ve opened the ports 65002, 55000-56000 and 5060. From the outside if I try a scan: 65002 and 5060 are open. 55000 or 55001 not (the port scan says they are closed). But it´s defined in the same rule, so why this won´t open?! When I watch the traffic I see a lot of tries from this ports (55000) into my optional network on the watchguard? But there is nothing set in those rules. I think I´ve loosing my mind right now.

  • @stefan_petershofer said:

    @Daniel_P30 said:
    Ok I understand the problem. What it happens if you allow all ports did you have try that?

    Not today, but I will now. Will come back after trying this.

    I will shorten it, so I´ve configured this rules:

    Paket Filter 1: Any-External = IP Swyx Server (Ports UDP/TCP 5060) via SNAT
    Paket Filter 2: IP Swyx Server = Any External (Ports UDP/TCP 5060)

    Paket Filter 3: Any-External = IP Swyx Server (Ports 65002 UDP/TCP, 55000-56000 TCP/UDP) via SNAT
    Paket Filter 4: IP Swyx Server = Any-External (Ports 65002 UDP/TCP, 55000-56000 UDP/TCP)

    Did I miss something?

    Unfortunately, I played so much around, that I haven´t an connection to the truk at the moment.

  • Well, it´s working now. I had to make a dedicated rule for the port range of 55K - 56K.

  • Hi @stefan_petershofer
    sorry for the late answer. Yes this ports are important 55000-56000 UDP.

  • I have a Mitel 3300 and currently experiencing problems with SIP-ALG Proxy but cannot get packet filter to work so stuck with using proxy since at least it works some of the time in and all of the time out.
    My SIP Provider has two network addresses one being only the 5060 traffic and one being all the data from phones to SIP provider. I tried setting up 4 packet filters two for 5060 traffic with SIP provider 1->SNAT firebox-ISP and Phone network -> ISP and the other being an ANY from SIP provider 2->SNAT firebox-ISP and Phone network -> ISP. Calls come through but no voice. Any ideas why?

  • For the record, what XTM version are you running?"

    "SIP provider 1->SNAT firebox-ISP"
    Not sure what the internal IP addr device is here on your policy - what is it?

    If you have the default Outgoing policy in your config, then there should be no need for the outgoing "Phone network -> ISP" policies - and they should not be part of the problem.

    If you have a current LiveSecurity license, you should open a support incident to get help from a WG rep in getting your VoIP setup working.

Sign In to comment.