Tlsv1 alert decrypt error

Working with endpoints behind a NAT this error appears and the client connection becomes unavailable at the same time, the call drops, and then the client reconnects. Using Asterisk 13.24.1 with libsrtp-1.5.4-3 on CentOS 6 and pjsip version 2.8 which is pulled down with 13.24.1. The pjproject files are pulled down on a separate machine and copied to the local /tmp/ directory for use during compiling of Asterisk.
./configure --with-externals-cache=/tmp --libdir=/usr/lib64 --with-pjproject-bundled
These are SIP-TLS endpoints using SDES as media encryption method

While the endpoint is within a call or while the endpoint is (just) registered? In the latter case, the NAT must be kept alive, otherwise your router discards the NAT after its timeout period for TCP connections. One approach is to let the endpoints re-register sooner. Other approaches can be found by searching for keep_alive_interval. That is a parameter name in the configuration file pjsip.conf. If you are in control of the NAT, you can change its TCP timeout (or replace the router completely). However, if you are about in-call drops, you face a different issue.

These are in-call drops. We are not able to duplicate the issue in our lab. We see it, in the logs, as a decrypt error and the call drops. A packet capture shows what appears to be a complete conversation as far as TLS is concerned. Any ideas on where to start looking?