Support / Voice / Firewall / SonicWall

Disable SIP transformations on SonicWall.

SonicWall calls SIP ALG "SIP transformations." TZ and NSA firewalls ship it on; production VoIP traffic needs it off, plus consistent NAT enabled.

Steps

  1. Sign in to the SonicWall web UI as admin.
  2. Open VoIP → Settings (called VoIP → Configuration on some firmware).
  3. Under General Settings:
    • Untick Enable SIP Transformations.
    • Untick Enable SIP Back-to-Back User Agent (B2BUA) support.
  4. Open VoIP → Settings → Consistent NAT.
  5. Tick Enable Consistent NAT.
  6. Click Accept at the top of the page.

Why consistent NAT matters

SIP endpoints announce their RTP port in the SDP body. SonicWall's default NAT randomizes source ports per destination, which breaks SIP NAT keepalive. Consistent NAT preserves the source port across destinations, which the SIP signaling expects.

Raise UDP timeout for SIP signaling

SonicWall's default UDP connection timeout is 30 seconds. SIP devices REGISTER hourly by default; the firewall closes the NAT mapping between registrations and inbound calls fail silently. Raise the timeout for SIP signaling:

  1. Open Network → Services.
  2. Find or create a service object for UDP 5060.
  3. Set its UDP Connection Inactivity Timeout to 600 seconds (or higher).
  4. Reference the service from your VoIP firewall rule so the per-service timeout applies.

Verify

Place a test call. Listen for two-way audio. If audio drops at ~30s, double-check that SIP transformations are off and consistent NAT is on; both must be set. Wait 5–10 minutes idle then place an inbound call to confirm registration survived.