Richard:
Sorry if this breaks threading, I don't have the original message.
In the cases where it doesn't work, can you confirm that the Contact
URI in the 200 actually contains a public address as it leaves your
network? What you're describing makes me think it's not, and it looks
like the following to me:
GW sends 200 with private address in Contact. This private address
leaks out of your network. This private address happens to fall
within the range of your customer's private network.
The 200 hits the remote router. The ALG leaves it alone (for now).
The PAP2T reads the Contact in the 200 and pulls the private address
from it. It targets the ACK to this private address, and sends it.
The ALG sees this, and notices the RURI contains a private address
from it's own local network. It PATs this address (hence the port
2021, it just picks the next port, since 2020 was already used by your
PAP2T). The ACK now contains the offending address in the RURI. When
your openser instance gets it, it just relays it like it was told to
do based on loose routing, and the call drops.
The thing about those ALGs is that they will rewrite *anything* that
matches the access list associated with the nat pool address, even if
it has nothing to do with any real IP traffic flowing through the
thing.
Hope that gives you something useful.
Phil