SIP Transport: TCP (LAN:OK; Outside:OK) / TLS (LAN:OK; Outside: NOTOK)

I’m currently using Asterisk 13.14.1~dfsg-2+deb9u4 and I have configured it, to allow me to do voip calls using Linphone app on my Android mobile (using data, not wifi), via TCP as a transport for SIP. This works fine (both inside my LAN and outside).

However, changing the transport from TCP to TLS (for which I’m using Let’s Encrypt) I’m able to connect and works fine on my LAN, but outside (mobile with data on) I’m only able to connect. It seems to mess with the SDP and consequently the RTP (meaning I’m not able to receive sound/video on my mobile).

Here is the output of sip debug for TCP:

<--- SIP read from TCP:123.123.123.123:2963 --->
REGISTER sip:mysip.domain.com SIP/2.0
Via: SIP/2.0/TCP 123.123.123.123:2963;branch=465dsf5.Dj4S5pdfZ;alias
From: <sip:user@mysip.domain.com>;tag=...
To: sip:user@mysip.domain.com
CSeq: 26 REGISTER
Call-ID: ....
Max-Forwards: 70
Supported: replaces, outbound, gruu
Accept: application/sdp
Accept: text/plain
Accept: application/vnd.gsma.rcs-ft-http+xml
Contact: <sip:user@123.123.123.123:2963;transport=tcp;app-id=... ... ...
Expires: 3600
User-Agent: ....
Authorization: Digest realm="asterisk", nonce="41djhfh", algorithm=MD5, username="user", uri="sip:mysip.domain.com", response="...."
Content-Length: 0

and here is the output of sip debug for TLS:

<--- SIP read from TLS:123.123.123.123:6503 --->
REGISTER sip:mysip.domain.com SIP/2.0
Via: SIP/2.0/TLS 10.151.213.71:54873;alias;branch=465dsf5.D5sjt7Azc;rport
From: <sip:user@mysip.domain.com>;tag=...
To: sip:user@mysip.domain.com
CSeq: 20 REGISTER
Call-ID: ....
Max-Forwards: 70
Supported: replaces, outbound, gruu
Accept: application/sdp
Accept: text/plain
Accept: application/vnd.gsma.rcs-ft-http+xml
Contact: <sip:user@10.151.213.71:54873;app-id=...;transport=tls...
Expires: 3600
User-Agent: ....
Content-Length: 0

Why is that just changing the SIP transport from TCP to TLS messes with the IP on “Via: …” and consequently with RPT?
How can I avoid it? Tried ICE and STUN but no luck: it always tries to deliver media (RTP) to the internal IP 10.151.213.71…

What is your actual SIP configuration in Asterisk? And those packets are as received from the remote side, so it could very well be something in between manipulating them in the case of TCP.