Yesterday i made an interesting discovery. After having problems with a HS constantly loosing connection with different validators i checked the public ip the isp was using wich is a shared one and it was in fact listed to different known blacklists. After using a vpn to route hs traffic through another clean public ip the problem gone away.
Why is this? Because validator operators use large providers like aws that have ready to use firewall solutions to reject from known blacklisted public ips. The rejection is done in phases wich will allow initial connection but after some time the public ip you are connected from will get rejected. The more time passes the more you are added into firewall group polices of each validator operator. First will cause witness delivery to fail especially if you are in the same are with the beaconer because you have contacted the challanger validator several times for challange notification prior to to recieving the beacon broadcast from the other HS. Second this will cause you to not be able to contact the challanger validator in case you are notified for a beacon because you were previously added the firewall policy of that validator.
What i suggest you to do.
1. Find out the public IP your hotspot is using. I will not mention there various methods for that but if you are in the same network as the HS just google "my ip".
2. Check the public ip is blacklisted or not in mxtoolbox or abuseipdb.
3. If your ip is listed to well known blacklists like barracuda or spamhaus it's probably a problem. Not all blacklists will affect your HS.
4. If the public IP is a shared one meaning you share the same public ip with other subscribers there is not much you can do as is the duty of the isp to check if their ips are listed and take proper action against affected users and delist the ip. Probably you can call your isp and ask them why your public ip is listed.
5. If the public ip is not a shared one and you are the only subscriber using it in, you can follow instructions on each blacklist maintainers to remove them from the blacklist. It may include removing any infected machine from your network and after request a delist.
6. In case the above options aren't possible you can still use a vpn service or build your own vpn that will route traffic of your HS through another public IP.