Hello Barry,
without seeing more details is difficult to say anything.
remove username and passwords, substitute public ip addresses and post configuration of hub router and one spoke.
A network diagram showing Head quarters architecture from HUB to CCM servers would be of help too.
There is any firewall to be crossed that sees traffic coming from different interfaces when using primary DS£ links or DMVPN backup links?
A TCP session requires bidirectional connectivity to be setup.
A SW defect on the hub router is also possible.
Hope to help
Giuseppe