No idea if it works, but suggestions:
1. Turn off SIP ALG on the USG
2. Enable STUN/TUN or what its called on your phones/voip devices (done on the admin central side?)
3. On the central side, there probably is something in there to enable support for devices behind NAT.
4. In addition research of there is something for heartbeat/keep alive on the phones/voip devices (maybe on the central admin side again)
What is the design of a VoIP call? Well there are two major items, the first is the SIP signaling and the RTP data.
SIP signaling data includes tons of info that the SIP ALG needs to take care, there are multiple fields in there that needs to be rewritten. SIP ALG usually are flacky, since where the fields are in the data can be implementation specific.
So its better to have the central side make the correction anyway, which it can based on the IP headers and SIP C fields (I do not remember 100%, long time since I looked at SIP)
That way it will only look as normal sessions for the USG.
The RTP I do not remember if it actually has any embedded address fields, but it does, this can be fixed by the central side again.
Now the the phase is ofcourse direct calls between two SIP UAC, without a proxy in the middle, here it can get hairy.
But if there is some intelligence in the equipment, then it should be possible for the SIP server to inform the devices what addresses should be used in the IP headers and the other address fields embedded in the SIP info.
Sorry long time ago since I did serious SIP stuff, details have gone missing due to good whiskey
"Perl is executable line noise, Python is executable pseudo-code."