no, "only behind NAT" should be fine. The signaling trace doesn't record OPTIONS as that just muddies things up.
If the set is configured for TLS, it *should* be fine (unless there is a set issue, and that may be the case).
I'd try configuring the set for TCP and see if that makes a difference. If you get a "global tcpdump" for the test call, you can use wireshark to analyse it. With TLS, the sip messaging can't be seen so it's much harder to see what's going on. The "signalling capture" is internal to mbg, it gets the sip messages *after* decryption (or before encryption) and writes out a "fake" pcap for analysis, but it isn't actually showing what was on the wire and the state of the connection, like the global tcpdump does. (if you look closely, all the packets are udp in the signalling pcap, even though the actual connection may be tcp or tls)
That or wade through the tug log to see if the tls connection closed before we tried to send the UPDATE. If that happened, that'll explain the issue.