all other vpn's are working fine.  It's just the DMVPN's.  I will try clearing the nhrp cache next.

After checking configurations for days, I went back to this.  I check my new internet modem and notice the outside facing ip was set to no incoming traffic.  Once I unchecked this.  The DMVPN tunnels came up immediately.  Wow.  Could not see the forrest for the trees.  

Thanks. This dmvpn has a hub and two spoke. All was fine until I had to change the outside facing IP on the hub. All the nat and routes were working. Additionally, from reading other post, I removed the protection on the spoke tunnel and the Tunnel goes UP/UP, when I add it back it goes UP/Down. Please see config's below, the hug tunnel is tunnel2, the spoke is tunnel0 from the spoke router and response from sh tun int tun0.  The spoke router nrhp cache has been cleared and the sh ip nhrp cache recognizes the xxxxxxxxxxxx next hop.   There are other vpn's operating fine on both cisco routers:

HUB:

hostname mv90 this is the hub
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
enable secret 5 $1$9yn5$/4g2Ud9T2.3dFjIHVSaEg.
enable password xxxxxx
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
!
!
!
aaa session-id common
clock timezone PCTime -6 0
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
!
ip cef
!
!
!
!
!
!
ip domain name yourdomain.com
ip name-server 68.94.156.11
ip name-server 68.94.157.11
no ipv6 cef
!
multilink bundle-name authenticated
clns routing
!
!
redundancy
!
!
!
!
!
no ip ftp passive
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 2
encr aes 192
authentication pre-share
crypto isakmp key xxxxxxxxxxx address xxxxxxxxxxxx
crypto isakmp key xxxxxxxxxxxx address xxxxxxxxxxxx
crypto isakmp key ?????? address 0.0.0.0
crypto isakmp keepalive 10 10
!
!
crypto ipsec transform-set VZW-TSET esp-3des esp-md5-hmac
mode transport
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode transport
!
crypto ipsec profile CiscoCP_Profile1
set transform-set ESP-3DES-SHA
!
!
!
crypto map VZW-MAP 10 ipsec-isakmp
set peer xxxxxxxxxxxxx
set peer xxxxxxxxxxxxx
set transform-set VZW-TSET
match address 172
!
!
!
!
!
interface Tunnel0
ip address 192.168.xxxxxx 255.255.255.252
ip mtu 1420
tunnel source xxxxxxxxxxxx
tunnel destination xxxxxxxxxx
tunnel path-mtu-discovery
!
interface Tunnel1
ip address 192.168.xxxx 255.255.255.252
ip mtu 1420
tunnel source xxxxxxxxxxxxx
tunnel destination xxxxxxxxxxxx
tunnel path-mtu-discovery
!
interface Tunnel2
bandwidth 1000
ip address 192.168.xxxx 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication DMVPN_NW
ip nhrp map multicast dynamic
ip nhrp network-id 100000
ip nhrp holdtime 360
ip nhrp nhs 192.168.106.1
ip nhrp registration no-unique
ip tcp adjust-mss 1360
ip ospf network point-to-multipoint
ip ospf mtu-ignore
delay 1000
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel key 100000
tunnel protection ipsec profile CiscoCP_Profile1
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description wan$ETH-WAN$
ip address xxxxxxxxx 255.255.255.248
duplex auto
speed auto
crypto map xxxxxx
!
interface GigabitEthernet0/1
description lan$ETH-LAN$
ip address 192.168.xxxxxx 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
no mop enabled
!
router ospf 11
network 192.168.1xxxx0.0.0.255 area 3
network 192.168.xxxxx 0.0.0.255 area 3
!
router iso-igrp area_1
net 49.0001.7c0e.ce5b.d720.00
!
router bgp 65505
bgp log-neighbor-changes
neighbor 192.168.xxxxx remote-as 6167
neighbor 192.168.xxxxx default-originate
neighbor 192.168.xxxxxx remote-as 6167
neighbor 192.168.xxxxxx default-originate
!
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 xxxxxxxxxxx
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1
ip route 8.8.8.8 255.255.255.255 GigabitEthernet0/0 xxxxxxxxxx
ip route xxxxxxxx 255.255.255.0 192.168.xxxx
ip route xxxxxxxxxx255.255.255.0 192.168.xxxx
ip route xxxxxxxxxxxxx 255.255.255.255 GigabitEthernet0/0 xxxxxxxxx
ip route xxxxxxxxxxxxx 255.255.255.255 GigabitEthernet0/0 xxxxxxxxx
ip route 192.168.xxxx 255.255.255.0 192.168.xxxx
ip route 192.168.xxxx 255.255.255.0 192.168.xxxxx
!
logging dmvpn rate-limit 20
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.xxxx.0 0.0.0.255
access-list 1 permit 192.168.xxxxx 0 0.0.0.255
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 23 permit 192.168.xxxxx 0.0.0.255
access-list 23 permit 192.xxxxx.0 0.0.0.255
access-list 23 permit 192.xxxxxx.0 0.0.0.255
access-list 172 remark 172
access-list 172 remark CCP_ACL Category=5
access-list 172 permit gre host xxxxxxxxxx host xxxxxxxxxx
access-list 172 remark 172
access-list 172 permit gre host xxxxxxxxx host xxxxxxxxxxx
dialer-list 1 protocol ip permit

Spoke:

ostname router2 this is the spoke
!
!
ip dhcp excluded-address 10.10.10.1
!
ip dhcp pool ccp-pool
import all
network 10.10.10.0 255.255.255.128
default-router 10.10.10.1
lease 0 2
!
!
!
ip domain name yourdomain.com
ip name-server xxxxxxxx
ip cef
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
chat-script lte "" "AT!CALL" TIMEOUT 20 "OK"
!
!
!
!
!
license udi pid C819HG-LTE-MNA-K9 sn FTX2134Z075
!
!
object-group network local_cws_net
!
object-group network local_lan_subnets
any
!
object-group network vpn_remote_subnets
any
!
!
redundancy
!
!
!
!
!
controller Cellular 0
lte modem link-recovery rssi onset-threshold -110
lte modem link-recovery monitor-timer 20
lte modem link-recovery wait-timer 10
lte modem link-recovery debounce-count 6
no cdp run
!
!
!
crypto isakmp policy 1
encr aes 192
authentication pre-share
!
crypto isakmp policy 2
encr aes 256
authentication pre-share
group 5
lifetime 10800
crypto isakmp key xxxxxxxxxxx address xxxxxxxxxx
crypto isakmp key xxxxxxxxxxx address xxxxxxxxxx
crypto isakmp key xxxxxxxxxxx address xxxxxxxxxx
crypto isakmp key ?????? address xxxxxxxxxx
crypto isakmp keepalive 10 10
!
!
crypto ipsec transform-set AES-256 esp-aes 256 esp-sha-hmac
mode tunnel
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode transport
!
crypto ipsec profile CiscoCP_Profile1
set transform-set ESP-3DES-SHA
!
!
!
crypto map CMAP_1 1 ipsec-isakmp
description Tunnel to TVA LAB
set peer xxxxxxxxxxxx
set transform-set AES-256
match address 105
crypto map CMAP_1 2 ipsec-isakmp
description Tunnel to TVA SOC
set peer xxxxxxxxxx
set transform-set AES-256
match address 106
crypto map CMAP_1 3 ipsec-isakmp
description Tunnel to TVA ROC
set peer xxxxxxxxxxxxx
set transform-set AES-256
match address 107
!
!
!
!
!
!
interface Tunnel0
bandwidth 1000
ip address 192.168.xxxx 255.255.255.0
ip mtu 1400
ip nhrp authentication DMVPN_NW
ip nhrp map 192.168.xxxx xxxxxxxxx
ip nhrp network-id 100000
ip nhrp holdtime 360
ip nhrp nhs 192.168.xxxx
ip tcp adjust-mss 1360
ip ospf network point-to-multipoint
ip ospf mtu-ignore
delay 1000
tunnel source Cellular0
tunnel destination xxxxxxxxx
tunnel key 100000
tunnel protection ipsec profile CiscoCP_Profile1
!
interface Cellular0
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation slip
dialer in-band
dialer string lte
dialer-group 1
no peer default ip address
async mode interactive
crypto map CMAP_1
routing dynamic
!
interface Cellular1
no ip address
encapsulation slip
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface GigabitEthernet0
description $ETH-LAN$
ip address xxxxxxxxxx 255.255.255.240
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1400
ip policy route-map clear-df
duplex auto
speed auto
!
interface Serial0
no ip address
shutdown
clock rate 2000000
!
interface Vlan1
description $ETH_LAN$
ip address 10.10.10.1 255.255.255.128
ip tcp adjust-mss 1452
!
router ospf 11
network xxxxxxxxx 0.0.0.15 area 3
network 192.168.xxxxx 0.0.0.255 area 3
!
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source route-map SDM_RMAP_1 interface Cellular0 overload
ip route 0.0.0.0 0.0.0.0 Cellular0
ip ssh server algorithm encryption aes128-ctr aes192-ctr aes256-ctr
ip ssh client algorithm encryption aes128-ctr aes192-ctr aes256-ctr
!
ip access-list extended NAT
remark CCP_ACL Category=18
deny ip xxxxxxxxxx 0.0.0.15 xxxxxxxxxxxxx 0.0.1.255
deny ip xxxxxxxxxx 0.0.0.15 xxxxxxxxxxxxx 0.0.0.31
deny ip xxxxxxxx 0.0.0.15 xxxxxxxxxxxx 0.0.0.31
deny ip xxxxxxxxxx 0.0.0.15 xxxxxxxxxxxx 0.0.0.255
permit ip xxxxxxxxx 0.0.0.15 any
!
dialer-list 1 protocol ip list 1
ipv6 ioam timestamp
!
route-map SDM_RMAP_1 permit 1
match ip address NAT
!
access-list 23 remark CCP_ACL Category=17
access-list 23 permit 10.10.10.0 0.0.0.127
access-list 23 permit xxxxxxxxx 0.0.0.255
access-list 23 permit 192.168.xxxxxxx40 0.0.0.15
access-list 23 permit xxxxxxxxxxx 0.0.0.255
access-list 105 remark IPSEC Rule
access-list 105 permit ip xxxxxxxxxxx 0.0.0.15 xxxxxxxxxx 0.0.1.255
access-list 106 remark IPSEC Rule
access-list 106 permit ip xxxxxxxxx 0.0.0.15 xxxxxxxxxx 0.0.0.31
access-list 107 remark IPSEC Rule
access-list 107 permit ip xxxxxxxxx 0.0.0.15 xxxxxxxxxx 0.0.0.31
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default

---------
show tunnel interface tunnel0
Tunnel0
Mode:GRE/IP, Destination xxxxxxxxxx, Source Cellular0
IP transport: output interface Cellular0 next hop xxxxxxxxx
Application ID 1: unspecified
OCE: IP tunnel decap
Provider: interface Tu0, prot 47
Performs protocol check [47]
Performs Address save check
Protocol Handler: GRE: key 0x186A0, opt 0x2000
ptype: ipv4 [ipv4 dispatcher: drop]
ptype: ipv6 [ipv6 dispatcher: drop]
ptype: mpls [mpls dispatcher: drop]
ptype: otv [mpls dispatcher: drop]
ptype: generic [mpls dispatcher: drop]
Tunnel Subblocks:
src-track:
Tunnel0 source tracking subblock associated with Cellular0
Set of tunnels with source Cellular0, 1 member (includes iterators), on interface <OK>
Linestate - current down
Internal linestate - current down, evaluated down - linestate protection reg down
Tunnel Source Flags: Local
Transport IPv4 Header DF bit cleared

Thanks.

##- Please type your reply above this line -##

no IPsec tunnel UP/UP 
then 
clear crypto sa 
clear isakmp sa <<- this must done first 
will solve the issue here 

I did the clear cry isa sa then clear cry sa at the spoke.  Is the needed at hub also?

Both sides

Hub and spoke 

did both ends.  the isa came up active and active delete .  tunnel0 still showing up/down can't ping tunnel ip.  192.168.xxxxxx because protocol down .   See below:

Router2#show cry isa dia error
Exit Path Table - status: enable, current entry 24, deleted 0, max allow 50

Error(616): Failed to send delete, peer isn't authenticated.
[conn id 0, local xxxxxxxxxx:500 remote xxxxxxxxxx:500]
state mask 0x1

-Traceback= A72078Cz A720C08z A710000z A702670z A6A5CA8z A6A5CF4z ABAFA10z A6AB8
28z A6AB9F8z A70C670z A71682Cz 6087D78z 606ECA8z

Error(616): Failed to access account record.

-Traceback= A72078Cz A720C08z A6B5E48z A6D1EE0z A6D2354z A6D258Cz A70264Cz A6A5C
A8z A6A5CF4z ABAFA10z A6AB828z A6AB9F8z A70C670z A71682Cz 6087D78z 606ECA8z

Error(593): SA is still negotiating. Attached new ipsec request to it.
[conn id 0, local xxxxxxxxxx:500 remote xxxxxxxxx:500]

-Traceback= A72078Cz A720C08z A709A10z A712460z A75ABE4z A716948z 6087D78z 606EC
A8z

Error(22): Failed to access account record.

OK, 
inter tunnel x 
shut 
wait 5 min 
no shut

              >...Is the needed at hub also?
                 Yes ,contact the iSP (too) 


  M.

did shut not shut, cleared cache.  isp should not be the problem because other vpn's working and I can ping outside ip to outside ip hug to spoke to hub.  protocol down on Spoke hub.  It's something to do with encryption.  I rm'd and re-entered isakmp key on both ends.  If I remove protection on the tunnel the protocol come up.  When I put it back in it goes down.

match address 172 <<- crypto map ACL under the tunnel source, which I dont know why you want to 
but 
access-list 172 permit gre host 104.184.14.113 host xxxxxxxxxx

access-list 172 permit gre host 104.184.14.113 host xxxxxxxxxxx

so you change hub IP did you change ACL of crypto map??