I am having never ending problems with my DMVPN tunnel protection setup. It started with the spokes not recognizing the tunnel as down, I couldn't find a way to do keepalives or DPD. Then I started having issues where the tunnel would just stay in NHRP or IKE or IPSEC instead of recovering correctly and I would have to go in and either reload the 881 routers or I would have to remove the tunnel all together and reconfigure it. In an effort to resolve some of these problems I replaced the tunnel path-mtu-discovery command with ip mtu 1400. And based on suggestions from my security team I switched the crypto method to AES-GCM-256 from AES-CBC-256.

Now my problem is that 1 tunnel will stay up without any hiccups and the other will flap hourly. I have 50+ spokes all connecting to a ASR1001 hub router. Each spoke is at a separate location and connects to different ISP modems. A majority of the spokes are 881's, but some are 887VAs and another is a 4321. The DR tunnel is the one that has been stable and the MC one is flapping. 

I have a dual-hub dual-cloud setup.

I have attached my hubs and spoke configurations with the IP addresses redacted.