no buddy , no syslog server :S

You can execute this debug command in both devices and paste the result.

debug crypto isakmp 127

I did some debugs and got the following errors on the branch router , the subnet 192.168.10.x is the one I am having problem with

*Nov 28 15:27:37.978: ISAKMP:(0:0:N/A:0):Can't decrement IKE Call Admisstion Control stat  outgoing_negotiating since it's already 0.
*Nov 28 15:27:37.990: ISAKMP: Trying to decrement ipsec count below 0
*Nov 28 15:27:38.230: ISAKMP: Trying to decrement ipsec count below 0
*Nov 28 15:27:43.390: map_db_find_best did not find matching map
*Nov 28 15:27:43.706: map_db_find_best did not find matching map
*Nov 28 15:27:58.162: IPSEC(decapsulate): error in decapsulation crypto_ipsec_les_fs
RTR#
RTR#
*Nov 28 15:28:58.190: IPSEC(crypto_map_check_encrypt_core): mtree says we have SA but couldn't find current outbound SA. dropping pak. pak->cryptoflags=0x820
*Nov 28 15:28:58.194: IPSEC(crypto_map_check_encrypt_core): mtree says we have SA but couldn't find current outbound SA. dropping pak. pak->cryptoflags=0x2000820
*Nov 28 15:29:23.418: ISAKMP:(0:81:HW:2):SA is still budding. Attached new ipsec request to it. (local BRANCH_IP, remote HEADOFFICE_IP)
*Nov 28 15:29:53.418: ISAKMP:(0:81:HW:2):SA is still budding. Attached new ipsec request to it. (local 1BRANCH_IP, remote HEADOFFICE_IP)
*Nov 28 15:29:58.218: IPSEC(crypto_map_check_encrypt_core): mtree says we have SA but couldn't find current outbound SA. dropping pak. pak->cryptoflags=0x820
*Nov 28 15:30:00.506: ISAKMP:(0:81:HW:2): Phase 1 negotiation failed with DPD active; deleting IKE/IPSec SAs
*Nov 28 15:30:00.506: ISAKMP:(0:81:HW:2):deleting SA reason "Death by retransmission P1" state (I) MM_KEY_EXCH (peer HEADOFFICE_IP)
*Nov 28 15:30:00.506: ISAKMP:(0:81:HW:2):deleting SA reason "Death by retransmission P1" state (I) MM_KEY_EXCH (peer HEADOFFICE_IP)
RTR#

*Nov 28 15:30:51.762: ISAKMP:(0:83:HW:2): starving for SPIs...
*Nov 28 15:30:58.242: IPSEC(crypto_map_check_encrypt_core): mtree says we have SA but couldn't find current outbound SA. dropping pak. pak->cryptoflags=0x820

*Nov 28 15:31:58.266: IPSEC(crypto_map_check_encrypt_core): mtree says we have SA but couldn't find current outbound SA. dropping pak. pak->cryptoflags=0x820

*Nov 28 15:32:58.290: IPSEC(crypto_map_check_encrypt_core): mtree says we have SA but couldn't find current outbound SA. dropping pak. pak->cryptoflags=0x820

*Nov 28 15:33:12.946: ISAKMP:(0:89:HW:2):SA is still budding. Attached new ipsec request to it. (local BRANCH_IP, remote HEADOFFICE_IP)

*Nov 28 15:33:42.946: ISAKMP:(0:89:HW:2):SA is still budding. Attached new ipsec request to it. (local BRANCH_IP, remote HEADOFFICE_IP)
*Nov 28 15:33:49.002: ISAKMP:(0:89:HW:2):deleting SA reason "Death by retransmission P1" state (I) MM_KEY_EXCH (peer HEADOFFICE_IP)
*Nov 28 15:33:49.002: ISAKMP:(0:89:HW:2):deleting SA reason "Death by retransmission P1" state (I) MM_KEY_EXCH (peer HEADOFFICE_IP)
acenc

RTR#sh crypto session

Interface: Tunnel1
Session status: UP-NO-IKE
Peer: 137.101.12.162 port 500
  IKE SA: local BRANCH_IP/500 remote HEADOFFICE_IP/500 Inactive
  IKE SA: local BRANCH_IP/500 remote HEADOFFICE_IP/500 Inactive
  IKE SA: local BRANCH_IP/500 remote HEADOFFICE_IP/500 Inactive
  IPSEC FLOW: permit 47 host  BRANCH_IP/ host HEADOFFICE_IP
        Active SAs: 4, origin: crypto map

and sometimes the Session status is Down Negotiating

Is there some blockage from ISP end ?

Try sharing the ipsec profile since the profile is being used by multiple tunnels.

"tunnel protection ipsec profile DMVPN shared"

Dan

to be clear I removed the tunnel protection and now I am runinng DMVPN over internet ( without IPSec ) .. still cant get the eigrp to work , and when i did debug nhrp i get these . 10.9 is branch , and 10.1 is headoffice . this is branch result

*Nov 28 16:19:00.866: NHRP: Setting retrans delay to 8 for nhs  dst 192.168.10.1
*Nov 28 16:19:00.866: NHRP: Attempting to send packet via DEST 192.168.10.1
*Nov 28 16:19:00.866: NHRP: Send Registration Request via Tunnel1 vrf 0, packet size: 84
*Nov 28 16:19:00.866:       src: 192.168.10.9, dst: 192.168.10.1
*Nov 28 16:19:00.866: NHRP: 84 bytes out Tunnel1 int tu
% Incomplete command.

RTR(config)#
*Nov 28 16:19:08.742: NHRP: Setting retrans delay to 16 for nhs  dst 192.168.10.1
*Nov 28 16:19:08.742: NHRP: Attempting to send packet via DEST 192.168.10.1
*Nov 28 16:19:08.742: NHRP: Send Registration Request via Tunnel1 vrf 0, packet size: 84
*Nov 28 16:19:08.742:       src: 192.168.10.9, dst: 192.168.10.1
*Nov 28 16:19:08.742: NHRP: 84 bytes out Tunnel1
*Nov 28 16:19:23.222: NHRP: Setting retrans delay to 32 for nhs  dst 192.168.10.1
*Nov 28 16:19:23.222: NHRP: Attempting to send packet via DEST 192.168.10.1
*Nov 28 16:19:23.222: NHRP: Send Registration Request via Tunnel1 vrf 0, packet size: 84
*Nov 28 16:19:23.222:       src: 192.168.10.9, dst: 192.168.10.1
*Nov 28 16:19:23.222: NHRP: 84 bytes out Tunnel1
*Nov 28 16:19:49.146: NHRP: Setting retrans delay to 64 for nhs  dst 192.168.10.1
*Nov 28 16:19:49.146: NHRP: Attempting to send packet via DEST 192.168.10.1
*Nov 28 16:19:49.146: NHRP: Send Registration Request via Tunnel1 vrf 0, packet size: 84
*Nov 28 16:19:49.146:       src: 192.168.10.9, dst: 192.168.10.1

I did tunnel shut and then no shut and did some eigrp , nhrp debugs again

Nov 28 16:34:19.190: NHRP: if_up: Tunnel1 proto 0
*Nov 28 16:34:19.190: NHRP: Attempting to send packet via DEST 192.168.10.1
*Nov 28 16:34:19.190: NHRP: Cannot route packet for target 192.168.10.1
*Nov 28 16:34:19.190: NHRP: if_up: Tunnel1 proto 0
*Nov 28 16:34:19.190: NHRP: Attempting to send packet via DEST 192.168.10.1
*Nov 28 16:34:19.194: NHRP: Cannot route packet for target 192.168.10.1
*Nov 28 16:34:19.194: NHRP: Resetting retransmit due to hold-timer for 192.168.10.1
*Nov 28 16:34:20.078: NHRP: Setting retrans delay to 2 for nhs  dst 192.168.10.1
*Nov 28 16:34:20.078: NHRP: Attempting to send packet via DEST 192.168.10.1

ig)#
*Nov 28 16:34:20.078: NHRP: Send Registration Request via Tunnel1 vrf 0, packet size: 84
*Nov 28 16:34:20.078:       src: 192.168.10.9, dst: 192.168.10.1
*Nov 28 16:34:20.078: NHRP: 84 bytes out Tunnel1
*Nov 28 16:34:21.186: %LINK-3-UPDOWN: Interface Tunnel1, changed state to up
*Nov 28 16:34:21.886: NHRP: Setting retrans delay to 4 for nhs  dst 192.168.10.1
*Nov 28 16:34:21.886: NHRP: Attempting to send packet via DEST 192.168.10.1
*Nov 28 16:34:21.886: NHRP: Send Registration Request via Tunnel1 vrf 0, packet size: 84
*Nov 28 16:34:21.886:       src: 192.168.10.9, dst: 192.168.10.1
*Nov 28 16:34:21.886: NHRP: 84 bytes out Tunnel1
*Nov 28 16:34:22.186: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, changed state to up
*Nov 28 16:34:25.818: NHRP: Setting retrans delay to 8 for nhs  dst 192.168.10.1
*Nov 28 16:34:25.818: NHRP: Attempting to send packet via DEST 192.168.10.1
*Nov 28 16:34:25.818: NHRP: Send Registration Request via Tunnel1 vrf 0, packet size: 84
*Nov 28 16:34:25.818:       src: 192.168.10.9, dst: 192.168.10.1
*Nov 28 16:34:25.818: NHRP: 84 bytes out Tunnel1
*Nov 28 16:34:32.914: NHRP: Setting retrans delay to 16 for nhs  dst 192.168.10.1
*Nov 28 16:34:32.914: NHRP: Attempting to send packet via DEST 192.168.10.1
*Nov 28 16:34:32.914: NHRP: Send Registration Request via Tunnel1 vrf 0, packet size: 84
*Nov 28 16:34:32.914:       src: 192.168.10.9, dst: 192.168.10.1
*Nov 28 16:34:32.914: NHRP: 84 bytes out Tunnel1
*Nov 28 16:34:45.246: NHRP: Setting retrans delay to 32 for nhs  dst 192.168.10.1
*Nov 28 16:34:45.246: NHRP: Attempting to send packet via DEST 192.168.10.1
*Nov 28 16:34:45.246: NHRP: Send Registration Request via Tunnel1 vrf 0, packet size: 84
*Nov 28 16:34:45.246:       src: 192.168.10.9, dst: 192.168.10.1

I can ping the physical ip of headoffice and headoffice can ping branch . but dmvpn doesnt seems to work on this link