Hi

I've got a DMVPN phase 2 single hub / dual cloud setup which works fine until the primary hub is lost.

When that happens all spokes are still able to communicate through the secondary hub (and thereby reach the LAN) but the spoke-to-spoke traffic stops to work.

If I look in the routing table of the spokes it has changed to route traffic to the other spokes via the secondary cloud, I'm using OSPF for routing.

When the primary hub is up, everything works perfect so I'm sure that this is just me missing something.

Both hubs are 1921s and spokes are either 1921:s, C891:s or C881:s and they are all running Version 15.4(3)M4 (same behavior in M5).

Anyone who can help or maybe recognise this behavior?

HUB1 config:
crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 2
crypto isakmp key "64 character long psk" address 0.0.0.0       
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10 periodic
!
crypto ipsec transform-set DMVPN_TS esp-aes 256 esp-md5-hmac
 mode transport
!        
crypto ipsec profile DMVPN_PROFILE1
 set transform-set DMVPN_TS
!        
interface Tunnel1
 bandwidth 10000
 ip vrf forwarding DMVPN_VRF
 ip address 172.16.50.1 255.255.255.128
 no ip redirects
 ip mtu 1400
 ip nhrp authentication "8 character long psk"
 ip nhrp map multicast dynamic
 ip nhrp network-id 1
 ip nhrp holdtime 300
 ip tcp adjust-mss 1360
 ip ospf network broadcast
 ip ospf priority 100
 tunnel source GigabitEthernet0/0
 tunnel mode gre multipoint
 tunnel key 1
 tunnel protection ipsec profile DMVPN_PROFILE1

HUB2

crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 2
crypto isakmp key "64 character long psk" address 0.0.0.0       
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10 periodic
!
!        
crypto ipsec transform-set DMVPN_TS esp-aes 256 esp-md5-hmac
 mode transport
!
crypto ipsec profile DMVPN_PROFILE2
 set transform-set DMVPN_TS
!
interface Tunnel2
 bandwidth 9000
 ip vrf forwarding DMVPN_VRF
 ip address 172.16.50.129 255.255.255.128
 no ip redirects
 ip mtu 1400
 ip nhrp authentication "8 character long psk"
 ip nhrp map multicast dynamic
 ip nhrp network-id 2
 ip nhrp holdtime 300
 ip tcp adjust-mss 1360
 ip ospf network broadcast
 ip ospf priority 100
 tunnel source GigabitEthernet0/0
 tunnel mode gre multipoint
 tunnel key 2
 tunnel protection ipsec profile DMVPN_PROFILE2

SPOKE(s)

crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 2
crypto isakmp key "64 character long psk" address 0.0.0.0       
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10 periodic
!
crypto ipsec transform-set DMVPN_TS esp-aes 256 esp-md5-hmac
 mode transport
!
crypto ipsec profile DMVPN_PROFILE1
 set transform-set DMVPN_TS
!
crypto ipsec profile DMVPN_PROFILE2
 set transform-set DMVPN_TS
!
interface Tunnel1
 bandwidth 10000
 ip vrf forwarding DMVPN_VRF
 ip address 172.16.50.5 255.255.255.128
 no ip redirects
 ip mtu 1400
 ip nhrp authentication "8 character long psk"
 ip nhrp map multicast 1.2.3.4
 ip nhrp map 172.16.50.1 1.2.3.4
 ip nhrp network-id 1
 ip nhrp holdtime 300
 ip nhrp nhs 172.16.50.1
 ip tcp adjust-mss 1360
 ip ospf network broadcast
 ip ospf priority 0
 tunnel source FastEthernet0
 tunnel mode gre multipoint
 tunnel key 1
 tunnel protection ipsec profile DMVPN_PROFILE1
!
interface Tunnel2
 bandwidth 9000
 ip vrf forwarding DMVPN_VRF
 ip address 172.16.50.133 255.255.255.128
 no ip redirects
 ip mtu 1400
 ip nhrp authentication "8 character long psk"
 ip nhrp map multicast 5.6.7.8
 ip nhrp map 172.16.50.129 5.6.7.8
 ip nhrp network-id 2
 ip nhrp holdtime 300
 ip nhrp nhs 172.16.50.129
 ip tcp adjust-mss 1360
 ip ospf network broadcast
 ip ospf priority 0
 tunnel source FastEthernet0
 tunnel mode gre multipoint
 tunnel key 2
 tunnel protection ipsec profile DMVPN_PROFILE2

Any help appreciated - thanks! :-)