There are several ICMP messages that contain a copy of the original datagram that caused the ICMP message to be sent. When the sender of the original message is behind an OPTE NAT, the expectation would be that the copy of the original datagram in the ICMP message payload would be translated to be consistent with what the guest sent.

As a concrete example, we see traceroute packets like the following from within the guest.

23:32:41.655456 IP (tos 0x0, ttl 250, id 2385, offset 0, flags [DF], proto ICMP (1), length 96)
    68.86.93.241 > 172.30.0.5: ICMP time exceeded in-transit, length 76
        IP (tos 0x20, ttl 1, id 28766, offset 0, flags [DF], proto ICMP (1), length 60)
    10.100.0.11 > 1.1.1.1: ICMP echo request, id 914, seq 19, length 40 (wrong icmp cksum c209 
(->7ed5)!)

Here the guest address is 172.30.0.5 and the assigned external IP is 10.100.0.11. As we can see the ICMP packet itself had NAT performed showing 68.86.93.241 > 172.30.0.5. However, the copy of the original packet in the ICMP payload shows 10.100.0.11 > 1.1.1.1. This prevents traceroute from working properly.