What is causing this error? endpoint unreachable then AOR deleted

This is repeating over and over again every few minutes:

1134	[2022-08-04 09:07:54] VERBOSE[12830] res_pjsip/pjsip_options.c: Contact 175/sip:[email protected]_IP_OF_REMOTE_PHONE:1029;x-ast-orig-host=10.0.20.64:42859 is now Unreachable. RTT: 0.000 msec	
1135	[2022-08-04 09:08:15] VERBOSE[30134] res_pjsip/pjsip_options.c: Contact 175/sip:[email protected]_IP_OF_REMOTE_PHONE:1029;x-ast-orig-host=10.0.20.64:42859 has been deleted	
1136	[2022-08-04 09:08:41] VERBOSE[7480] res_pjsip_registrar.c: Added contact 'sip:[email protected]_IP_OF_REMOTE_PHONE:1029;x-ast-orig-host=10.0.20.64:42859' to AOR '175' with expiration of 60 seconds	
1137	[2022-08-04 09:08:41] VERBOSE[32003] res_pjsip/pjsip_options.c: Contact 175/sip:[email protected]_IP_OF_REMOTE_PHONE:1029;x-ast-orig-host=10.0.20.64:42859 is now Reachable. RTT: 61.382 msec

Cisco 8861 3PCC Remote Phone registered via NAT
PBX has ports forwarded
(using 42859 instead of 5060 for SIP; 10001-20000 RTP)

NAT keep alive interval on phone set to 15 seconds (issue was worse when it was 25)
Extension’s minimum expiry set to 60, max expiry 120 (also tried 60/3600, 20/40)
Extension’s qualify frequency set to 60 (also tried 20 and 120 and disabling)
UDP idle timeout on Firewall set to 300 secs
SIP ALG / SIP Helper etc. all DISABLED

I am almost sure it must be combination of registration / qualify / NAT keepalive timings as depending how I adjust those the issue either becomes more frequent (rendering phone almost useless) or less frequent (still every 12 or so mins etc.)

The remote phone has removed its contact information by unregistering. As there is no longer any contact information, Asterisk does not know where to send requests, which obviously means that the AOR is now unreachable, as you cannot reach something if you don’t know where it is.

It is odd because sometimes during the period of unreachability the phone functions perfectly fine, other times it is flashing as unregistered / useless
How to prevent from unregistering? Narrow the registration period? Change NAT keep-alive interval? Change qualify freq?

Actually, looking at the timing, it went unreachable before the registration was lost, so it may be Asterisk that is removing the registration, because the re-registration was lost due to a temporary network failure, in which case the fix is to mend your network.

I don’t think being marked unreachable will actually cause the de-registration; I think the re-registration request has to really fail to get through.

It is possible that a router dynamic rule is timing out, but that may well be on the remote side, and we’d need to know a lot more about your network topology to consider that properly.

The PBX is behind a FortiGate, UDP timeout set to 300secs, SIP Helper/ALG all disabled, ports forwarded

The remote phone - I have tried at least 4 router brands, including ASUS, Netgear, TP-Link, and ISP-provided router/modem combos, all with the same result of the phone becoming unreachable (de-registering). So it’s got to be either PBX / phone config issue or the PBX’s network. I doubt it is PBX’s network because other remote phones (softphones) have no issues and don’t de-register.

What would you suggest as the combination of qualify time/min+max expiry/NAT keep-alive interval/etc. to overcome possibility of the network causing the issue? Or anything else?