On a problematic system, I start a capture with a command like:
tcpdump -s 0 -C 100 -W 10 -w rbuf -Z root &
This writes all network traffic into a series of files rbuf0, rbuf1, …, rbuf9. Each is limited to 100 MB and after filling rbuf9, it continues, overwriting rbuf0. You can let this run 24/7, since it won’t use more than 1 GB of disk. When you get a report of a problematic call, copy the file with the proper time range to a temporary and transfer it to your PC. Open it in Wireshark and with Telephony->VoIP calls, view and analyze the failing call. You have everything, including extension and trunk signalling, announcements heard, DTMF sent, and the actual conversation.
No guarantee that you’ll be able to fix the trouble, but at least you will know exactly what went wrong