I have a working FlexVPN Hub and Spoke Setup and want to add Spoke-to-Spoke Feature.

Sadly the hub doesn't seem to redirect traffic, i.e nhrp is not working correctly. I suspect  "NHRP: Rejecting addr type 0" from the debug   tells me why this is not working. but i can't find any further information about this debgu message.

When i intiate traffic from one spoke to a subnet behind another spoke  ( in the example to 192.168.100/0/24) there is not even an attempt to initiate an  crypto session between the spokes. All spoke are configured the same.

NHRP output during tunnel setup from  (hub site)

1544366: Oct 14 12:58:55.790 CEST: %IKEV2-5-RECV_CONNECTION_REQUEST: Received a IKE_INIT_SA request
1544367: Oct 14 12:58:56.880 CEST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access3, changed state to down
1544368: Oct 14 12:58:56.881 CEST: NHRP: Virtual-Access3: Tunnel mode changed from
'Uninitialized tunnel mode' to 'GRE over point to point IPV4 tunnel mode'
1544369: Oct 14 12:58:56.881 CEST: NHRP: Virtual-Access3: NHRP not enabled
1544370: Oct 14 12:58:56.882 CEST: NHRP: Virtual-Access3: Tunnel mode changed from
'GRE over point to point IPV4 tunnel mode' to 'Encapsulating Security Protocol (ESP) over point 2 point IPv4 used by the ipsec client'
1544371: Oct 14 12:58:56.882 CEST: NHRP: Virtual-Access3: NHRP not enabled
1544372: Oct 14 12:58:56.889 CEST: NHRP: Rejecting addr type 0
1544373: Oct 14 12:58:56.889 CEST: NHRP: Adding all static maps to cache
1544374: Oct 14 12:58:56.889 CEST: NHRP: NHRP Redirect Feature PI-code Initialized
1544375: Oct 14 12:58:56.889 CEST: NHRP: Redirect Feature Initialized - Attempting Platform Init
1544376: Oct 14 12:58:56.890 CEST: NHRP: Rejecting addr type 0
1544377: Oct 14 12:58:56.890 CEST: NHRP: Rejecting addr type 0
1544378: Oct 14 12:58:56.896 CEST: %IKEV2-5-SA_UP: SA UP
1544379: Oct 14 12:58:56.896 CEST: %CRYPTO-5-IKEV2_SESSION_STATUS: Crypto tunnel v2 is UP.  Peer <SPOKE-PUBLIC-IP>:500 f_vrf:  <HUB-EXTERNAL-VRF> i_vrf:  <HUB-EXTERNAL-VRF>   Id: <SPOKE-FQDN>
1544380: Oct 14 12:58:56.904 CEST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access3, changed state to up
1544381: Oct 14 12:58:56.905 CEST: NHRP: if_up: Virtual-Access3 proto 'NHRP_IPv4'
1544382: Oct 14 12:58:56.906 CEST: NHRP: Rejecting addr type 0
1544383: Oct 14 12:58:56.906 CEST: NHRP: Adding all static maps to cache
1544384: Oct 14 12:58:56.906 CEST: NHRP: Unable to send Registration - no NHSes configured
1544385: Oct 14 12:58:57.905 CEST: NHRP: Unable to send Registration - no NHSes configured

NHRP debug output tunnel setup client site:

.Oct 14 12:58:55.827: %FLEXVPN-6-FLEXVPN_CONNECTION_DOWN: FlexVPN(FLEXCLIENT) Client_public_addr = <SPOKE-PUBLIC-IP> Server_public_addr = <HUB-PUBLIC-IP>
.Oct 14 12:58:57.067: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
.Oct 14 12:58:57.071: NHRP: if_up: Tunnel0 proto 'NHRP_IPv4'
.Oct 14 12:58:57.071: NHRP: Rejecting addr type 0
.Oct 14 12:58:57.071: NHRP: Adding all static maps to cache
.Oct 14 12:58:57.071: NHRP: Unable to send Registration - no NHSes configured
.Oct 14 12:58:57.079: %FLEXVPN-6-FLEXVPN_CONNECTION_UP: FlexVPN(FLEXCLIENT) Client_public_addr = <SPOKE-PUBLIC-IP> Server_public_addr = <HUB-PUBLIC-IP> Assigned_Tunnel_v4_addr = 10.255.176.15
.Oct 14 12:58:58.071: NHRP: Unable to send Registration - no NHSes configured

Relevant Hub config

crypto ikev2 profile EXTERN-IKEV2-PROFILE
 match fvrf <HUB-EXTERNAL-VRF>
 match identity remote fqdn domain <CUSTOMER-DOMAIN>
 identity local fqdn <HUB-FQDN>
 authentication remote rsa-sig
 authentication local rsa-sig
 pki trustpoint CA
 dpd 10 2 periodic
 aaa authorization group cert list RADIUS-AUTHORISATION name-mangler GET-FULL-HOST
 virtual-template 10

crypto ipsec profile FLEXVPN-EXT-IPSEC-PROF
 set ikev2-profile EXTERN-IKEV2-PROFILE

 
sho derived-config interface virtual-access 3
 
interface Virtual-Access3
 description Tunnel Template fuer VRF <HUB-EXTERNAL-VRF>
 vrf forwarding <HUB-INTERNAL-VRF>
 ip address 10.255.176.14 255.255.255.254
 ip nhrp network-id 5
 ip nhrp redirect
 tunnel source <HUB-PUBLIC-IP>
 tunnel mode ipsec ipv4
 tunnel destination <SPOKE-PUBLIC-IP>
 tunnel path-mtu-discovery
 tunnel vrf <HUB-EXTERNAL-VRF>
 tunnel protection ipsec profile FLEXVPN-EXT-IPSEC-PROF
 no tunnel protection ipsec initiate
end

relevant spoke config

interface Virtual-Template10 type tunnel
 ip unnumbered Tunnel0
 ip nhrp network-id 5
 ip nhrp shortcut virtual-template 10
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile FLEXCLIENT-IPSEC-PROFILE
 
 
crypto ikev2 profile FLEXCLIENT-PROFILE
 match identity remote fqdn <HUB-FQDN>
 match identity remote fqdn domain <CUSTOMER-DOMAIN>
 identity local fqdn <SPOKE-FQDN>
 authentication remote rsa-sig
 authentication local rsa-sig
 pki trustpoint CA
 dpd 10 2 periodic
 aaa authorization group cert list Flex FlexClient-Author
 virtual-template 10
 
 

crypto ipsec profile FLEXCLIENT-IPSEC-PROFILE
 set ikev2-profile FLEXCLIENT-PROFILE

interface Tunnel0
 description [Tunnel to FlexHub]
 ip address negotiated
 ip nhrp network-id 5
 ip nhrp shortcut virtual-template 10
 tunnel source GigabitEthernet0
 tunnel mode ipsec ipv4
 tunnel destination dynamic
 tunnel protection ipsec profile FLEXCLIENT-IPSEC-PROFILE
end

working Tunnel on hub site:

Tunnel-id Local                 Remote                fvrf/ivrf            Status
1         <HUB-PUBLIC-IP>/500   <SPOKE-PUBLIC-IP>/500      <HUB-EXTERNAL-VRF>   READY  
      Encr: AES-CBC, keysize: 256, PRF: SHA512, Hash: SHA512, DH Grp:5, Auth sign: RSA, Auth verify: RSA
      Life/Active Time: 86400/555 sec
      CE id: 18901, Session-id: 2086
      Status Description: Negotiation done
      Local spi: D13309864C08DB0E       Remote spi: 2098208B89845A8E
      Local id: <HUB-FQDN>
      Remote id: <SPOKE-FQDN>
      Local req msg id:  55             Remote req msg id:  58        
      Local next msg id: 55             Remote next msg id: 58        
      Local req queued:  55             Remote req queued:  58        
      Local window:      5              Remote window:      5         
      DPD configured for 10 seconds, retry 2
      Fragmentation not configured.
      Extended Authentication not configured.
      NAT-T is not detected  
      Cisco Trust Security SGT is disabled
      Assigned host addr: 10.255.176.15
      Initiator of SA : No
      Remote subnets:
      10.255.176.15 255.255.255.255
      10.255.18.44 255.255.255.255
      192.168.100.0 255.255.255.0

working tunnel on spoke side:

Tunnel-id Local                 Remote                fvrf/ivrf            Status
1         <SPOKE-PUBLIC-IP>/500      <HUB-PUBLIC-IP>/500   none/none            READY  
      Encr: AES-CBC, keysize: 256, PRF: SHA512, Hash: SHA512, DH Grp:5, Auth sign: RSA, Auth verify: RSA
      Life/Active Time: 86400/529 sec
      CE id: 2029, Session-id: 20
      Status Description: Negotiation done
      Local spi: 2098208B89845A8E       Remote spi: D13309864C08DB0E
      Local id: <SPOKE-FQDN>
      Remote id: <HUB-FQDN>
      Local req msg id:  55             Remote req msg id:  52        
      Local next msg id: 55             Remote next msg id: 52        
      Local req queued:  55             Remote req queued:  52        
      Local window:      5              Remote window:      5         
      DPD configured for 10 seconds, retry 2
      Fragmentation not configured.
      Extended Authentication not configured.
      NAT-T is not detected  
      Cisco Trust Security SGT is disabled
      Initiator of SA : Yes
      Pushed IP address: 10.255.176.15
      Remote subnets:
      10.255.176.14 255.255.255.255
      0.0.0.0 0.0.0.0

As stated before - the flexVPn and crypto setup works fine - except for the  nhrp redirect feature.  Any help with this would be appreciated.