Richard:
Sorry if this breaks threading, I don't have the original message.
In the cases where it doesn't work, can you confirm that the Contact URI in the 200 actually contains a public address as it leaves your network? What you're describing makes me think it's not, and it looks like the following to me:
GW sends 200 with private address in Contact. This private address leaks out of your network. This private address happens to fall within the range of your customer's private network.
The 200 hits the remote router. The ALG leaves it alone (for now).
The PAP2T reads the Contact in the 200 and pulls the private address from it. It targets the ACK to this private address, and sends it.
The ALG sees this, and notices the RURI contains a private address from it's own local network. It PATs this address (hence the port 2021, it just picks the next port, since 2020 was already used by your PAP2T). The ACK now contains the offending address in the RURI. When your openser instance gets it, it just relays it like it was told to do based on loose routing, and the call drops.
The thing about those ALGs is that they will rewrite *anything* that matches the access list associated with the nat pool address, even if it has nothing to do with any real IP traffic flowing through the thing.
Hope that gives you something useful.
Phil