When debugging it is often nice to be able to gather information about NAT type and behavior. ZeroTier does not use STUN (for various reasons), but many STUN implementations contain some helpful code for doing this. It's helpful to use an external utility since it's "out of band" and therefore independent of ZeroTier.
This will perform the basic NAT characterization test from the STUN RFC. The STUN server can be any public STUN server.
It will generate output like:
According to this good STUN/NAT resource page this indicates a port-restricted cone NAT.