DMVPN's hub (in typical configuration), does not contain information about endpoints (unlike spokes who have statically configured NHS and NHRP mapping), it only learns about those during NHRP registration exchnage.
So there should not be a need/possibility for hub to initiate IKE sessions (hence additional enforcement of "ip nhrp server-only").
Now, what can happen is that IKE renegotiation is not triggered by spoke on time and hub tries to initiate a rekey. It typically should not happen.
DMVPN is routing based VPN, hub will always follow routnig to determine where to send traffic, typically it will send traffic out it's default route where it will be dropped (in situation you describe).
A few best practices:
- Lower NHRP holdtime
- Configure MTU and adjust MSS.
- If you're running ISR G2, and it's a setup "for the future":
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...