Does anyone know how to disable SIP AGL in Cisco Meraki MX64?

Here to help

Does anyone know how to disable SIP AGL in Cisco Meraki MX64?

I am trying to set up a FreePBX on-premises server on my LAN. 


Currently I have the server working with softphones, so I have an app on my phone and an app on my desktop, both assigned extensions accessing the FreePBX phone server, and they are able to make a phone call to each other and speak with clear audio.


However, when I try to connect with my phone and call the desktop from outside the LAN (I turned wifi off on my phone, therefore connecting with 4G Mobile Data) this does not work.


I am still able to ring the desktop, but when I answer on the desktop, there is no audio at all on either side.


Many have told me to disable SIP AGL, and to check my NAT settings. Anyone have any idea how to do this in MX64 dashboard?

1 Accepted Solution
Kind of a big deal
Kind of a big deal

9 Replies 9
Kind of a big deal

There is no SIP ALG on Meraki MX so you must have some other issue. 

- Ex community all-star (⌐⊙_⊙)
Kind of a big deal
Kind of a big deal

Could be that you need some port forwarding to your pbx. 


UDP/5060 -> Forward to <ip pbx>

UDP/10000-20000 -> Forward to <ip pbx>

Here to help

Thanks everyone, this was the solution:


"UDP/10000-20000 -> Forward to <ip pbx>"

I know this is an old thread, but I am having same issue. How did you go about implementing this resolution exactly, if you dont mind sharing?  Also, we use a VOIP service for our phones, so I am wondering what exactly is the "<ip pbx>" you mentioned?


The issue I was having was that while I could call on the same LAN (Local area network) between my phone and PC, I was unable to from outside the LAN.


The phone, the desktop PC, and the FreePBX phone server/service were all on the same network, local private network in the building.

Therefore the FreePBX SIP Server settings programmed into the phone / desktop PC on the softphone clients e.g., user + pass, were all working fine.

Once you go outside the network and are trying to connect to the SIP server with your phone, you must use port forwarding / NAT. You are opening a port on your network to the outside world. That is what I had to do (ports 5060, and ports 10000-20000). Now when someone goes to my public IP address port 5060 or 10000-20000, the local IP address it gets on my network is the SIP server.


Your setup is slightly different, because you are using a VOIP service. That is somewhat unspecific. I assume you mean cloud-hosted phone server? So you dont have a server in your workplace, but you are using a service online? Do they provide you with a SIP server address, username and password?


If you are able to connect the calls, but there is no voice heard on either device, its likely that the VOIP service themselves will have to allow port forwarding on more / different ports. You will likely need to contact your VOIP service for help if this is the issue. With mine, I had the VOIP service set up my self, so I had to port forward on my own network 10000-20000 for voice data. The call connects with port 5060, but voice data is in 10000-20000 i think

10-4 Thanks so much for the quick and thorough explanation! I greatly appreciate that!

No problem best of luck 🙂 

So I m back again. We have tried literally everything we can think of hilariously, my last google search brought me right back here, and I was like.. hey this looks familiar!  Any chance you might be able to offer me advice exactly how to forward UDp to my voip vendors ip address within meraki firewall?


What I have discovered with packet captures, is that our phones are requesting to register every 30 seconds. Here is the breakdown:

1.  Phone send request: REGISTER to external Server

2.  External server sends back  Status: 407 Proxy Authentication Required

3.  Phone sends second request: REGISTER to external Server

4.  External server sends back  Status: 200 OK (REGISTER) (1 binding)


Voip company confirmed that is not expected behavior. They say it should ask to register, their server then asks for username and password, the phone sends it, and then it shouldnt be asking twice to register.

They seem to think somewhere along the way, within our network, packets are getting dropped/lost.  We have ruled out SIP ALG, so it must be some sort of port forwarding/DSCP tagg type issue.


In any case, Using Meraki Firewall, is there a way to do some sort of port forward rule that ensures "UDP/10000-20000 -> Forward to <external IP of my VOIP Provider>" as well as any applicable forwards for port 5060?


I do have QoS rules setup under traffic shaping that is set to tag VOIP traffic as EF 46 with highest priority.


Any help is appreciated!

Kind of a big deal
Kind of a big deal

One way or no audio is typically down to a routing issue.  Confirm your port forwarding. 5060 is used for signalling, I would focus on the ports used for the actual voice streams.

Darren OConnor |

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.