Yeah we've had huge issues with NBAR, in particular misclassifying Unifi management packets and 3CX tunneled voice traffic, so it's prevented remote management of some distant sites Ubnt gear, and causing their phone calls to repeatedly reconnect when using iOS or Windows clients.
The solution was to manually update the L7 rules to exclude these false matches, but then 1) there maybe new false matches, 2) that's across dozens of sites we'd have to do this, and 3) then each month when new definitions are added we have to rinse and repeat.
The other option at one point, unsure if this works, but turning off advance traffic analytics or something disabled NBAR, however, a lot of our sites actually need this feature.
For now we're getting a pile of sites 'pinned' on MX15, and for others that are more critical eg local govt we are replacing the MX with FortiGate's which we've tested not to have this issue.
I hope that helps!
-KP