Hello, i'm investigating an unusual behaviour with our DMVPN and hoping someone can point us in the right direction.

We have a 3-hub solution with numerous branch office spokes using BGP on the WAN and EIGRP for tunnel routing.  The majority of offices are dual spokes and we also redistribute LAN OSPF into EIGRP on the larger sites.  Each spoke router has 3 tunnels with one for each hub.  EIGRP metrics determine that tunnel 1 is preferred, then tunnel 2.  Hub tunnel 3 is a DR site and advertises completely different network.

On a several of the spoke routers we're seeing dynamic spoke to spoke tunnels coming up all 3 tunnels. We have office to office traffic so there should be dynamic tunnels for tunnel 1 only.  All routes in EIGRP on the spokes use tunnel 1.  There are no routes using tunnels 2 or 3 except for the hub interface and the DR site. If we do a clear dmvpn session peer x.x.x.x it takes less than a minute before spoke to spoke SAs are created on tunnels 2 and 3.  They never seem to time out. 

Looking in the EIGRP topology table all office subnets prefer tunnel 1 as expected.

Not all spoke locations have this issue, some only bring up dynamic spoke to spoke tunnels using 1.  Comparing the configs they appear identical :)

The hardware is a mix of ASR100x and ISRs, mostly on the same IOS version.

What is the best way to determine why spoke to spoke DVMPNs on tunnels 2 and 3 are coming up and also staying up?  Looking at debug dmvpn all we can see the IPsec being initiated after clearing the session peer but not the trigger.  It's as if some of the spokes are behaving like hubs?

Thank you