router>show ip nhrp nhs redundancy

Legend: E=Expecting replies, R=Responding, W=Waiting
No. Interface Cluster NHS Priority Cur-State Cur-Queue Prev-State Prev-Queue
1 Tunnel2 0 10.2.2.254 0 RE Running E
2 Tunnel2 0 10.2.2.12 0 RE Running E

No. Interface Cluster Status Max-Con Total-NHS Registering/UP Expecting Waiting Fallback
1 Tunnel2 0 Disable Not Set 2 2 0 0 0

Note: both routers have same sh ip nhrp display. (the one router which is alowasy active and other router which is negotiating.

the tunnel in Spoke have two NHS and both UP.
BUT the Spoke not send traffic to both NHS it send to only one, 
IPSec need traffic pass to be UP 
since the data traffic is send to only one NHS, other NHS IPsec is inactive. 
how we can make IPsec active always 
isakmp keepalive periodic not in demand 
NHRP timeout small to make Spoke always send to NHS server NHRP request message and hence the IPSec always active.

so if i remove the line

crypto isakmp policy 100
encr aes
authentication pre-share
group 2
crypto isakmp key M@ster address 0.0.0.0 0.0.0.0

crypto isakmp keepalive 60 (remove this line)
! 
!
crypto ipsec transform-set CR-TS-MAS esp-aes esp-sha-hmac
mode transport
!
crypto ipsec profile CR-PR-MAS
set transform-set CR-TS-MAS

then it will always be active ??

the IPsec is two phase, 
phase1 here you need keepalive 
phase2 here you need to pass traffic and best small packet pass through tunnel is NHRP register packet, send from Spoke to Hub 

here I do small lab, the R1 is spoke have two Hub R2 & R3, 
I config NHRP register timeout 10 sec 
this make spoke every 10 sec send NHRP message to Spoke and hence make tunnel active all time. 
still for phase1 you need keepalive
crypto isakmp keepalive 60 (dont remove this)
below capture tunnel without IPSec Profile 

below capture tunnel with ipsec profile 

sir

i have entered the following command

ip nhrp registration timeout 10

but it still shows tunnel negotiating

Interface: Tunnel2
Session status: DOWN-NEGOTIATING
Peer: 119.159.230.51 port 500
Session ID: 0
IKEv1 SA: local 192.168.8.250/500 remote 101.244.32.1/500 Inactive
IPSEC FLOW: permit 47 host 192.168.8.250 host 101.244.32.1
Active SAs: 0, origin: crypto map

Q.
are the config of Tunnel2 you share is for Spoke ?
are the hub is one but you use two interface ?

ok

Lets do again from the start

I have 2 sub branches and 1 main branch.

 Branches have 2 internet connection for 2 tunnels. (Tunnel 1 and Tunnel 2). the configuration of 2 sub branches are same. I am sending configuration of only tunnel 2.

crypto isakmp policy 100
encr aes
authentication pre-share
group 2
crypto isakmp key M@ster address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set CR-TS-MAS esp-aes esp-sha-hmac
mode transport
!
crypto ipsec profile CR-PR-MAS
set transform-set CR-TS-MAS
!


interface Tunnel2
ip address 10.2.1.57 255.255.255.0
no ip redirects
ip mtu 1390
ip authentication mode eigrp 10 md5
ip authentication key-chain eigrp 10 eigrp_keys
ip hold-time eigrp 10 60
ip nhrp authentication deast
ip nhrp map multicast dynamic
ip nhrp map 10.2.1.254  101.244.32.1
ip nhrp map multicast 101.244.32.1
ip nhrp network-id 2
ip nhrp holdtime 600

ip nhrp nhs 10.2.1.254
ip nhrp registration no-unique
zone-member security vpn
tunnel source Dialer1
tunnel mode gre multipoint
tunnel key 121
tunnel protection ipsec profile CR-PR-MAS shared

Now the question is , somehow when tunnel is not in use,  one branch is always active and other branch is negotiating. what will be the case ?????.

Branch 1 is always negotiating.

Interface: Tunnel2
Session status: DOWN-NEGOTIATING
Peer: 101.244.32.1 port 500
IKE SA: local 192.168.8.254/500 remote 101.244.32.1/500 Inactive
IKE SA: local 192.168.8.254/500 remote 101.244.32.1/500 Inactive
IPSEC FLOW: permit 47 host 192.168.8.254 host 101.244.32.1
Active SAs: 0, origin: crypto map

Branch 2 is alwayys active, even tunnel not in use

Interface: Tunnel2
Session status: UP-ACTIVE (THIS IS ALWASY ACTIVE EVEN WHEN NOT USING THIS TUNNEL)
Peer: 101.244.32.1 port 4500
IKEv1 SA: local 192.168.8.250/4500 remote 101.244.32.1/4500 Active
IPSEC FLOW: permit 47 host 192.168.8.250 host 101.244.32.1
Active SAs: 2, origin: crypto map

Ok

Router 1: The  one router which has always active tunnel show this

Tunnel2:
10.2.2.12 RE priority = 0 cluster = 0 req-sent 9051 req-failed 0 repl-recv 9021 (00:00:03 ago)
10.2.2.254 RE priority = 0 cluster = 0 req-sent 9079 req-failed 0 repl-recv 9027 (00:00:03 ago)

Router 2: the one which has tunnel in negotiating mode

Tunnel2:
10.2.2.12 E priority = 0 cluster = 0 req-sent 17841 req-failed 0 repl-recv 0
10.2.2.254 E priority = 0 cluster = 0 req-sent 17841 req-failed 0 repl-recv 0

Pending Registration Requests:
Registration Request: Reqid 3, Ret 32 NHS 10.2.2.254 expired (Tu2)
Registration Request: Reqid 2, Ret 32 NHS 10.2.2.12 expired (Tu2)

Tunnel2:
10.2.2.12 RE priority = 0 cluster = 0 req-sent 9051 req-failed 0 repl-recv 9021 (00:00:03 ago)
10.2.2.254 RE priority = 0 cluster = 0 req-sent 9079 req-failed 0 repl-recv 9027 (00:00:03 ago)

Tunnel2:
10.2.2.12 E priority = 0 cluster = 0 req-sent 17841 req-failed 0 repl-recv 0
10.2.2.254 E priority = 0 cluster = 0 req-sent 17841 req-failed 0 repl-recv 0

one router receive the reply other (failed one) not receive the reply, 
so issue is Hub not reply the register receive from Spoke
can you try add this command to failed router 

 ip nhrp registration non-unique 

its already added in both router configuration.

kindly check both routers configuration again

crypto isakmp key M@ster address 0.0.0.0 0.0.0.0

ip nhrp authentication deast

10.2.2.12 E priority = 0 cluster = 0 req-sent 17841 req-failed 0 repl-recv 0
10.2.2.254 E priority = 0 cluster = 0 req-sent 17841 req-failed 0 repl-recv 0

I check the case that make reply-recv count zero, if the nhrp auth password is wrong or IPsec config is wrong this happened, 
since the config of IPsec is not usually be wrong (isakmp policy + transform) still I see many case that password is write wrong. 
so can you make double check the password for NHRP auth and IPsec Auth.

Note:- to separate the issue from tunnel itself or from IPsec, You can remove ipsec profile from tunnel and check the reply-recv counter, if it OK then sure the issue with Ipsec not from tunnel.

one more command help us to detect issue 
show dmvpn
are you see IKE ?
are you see IPSec ?

Router result (Which is negotiating)

# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 101.244.32.6 10.2.2.12 IKE 02:47:04 S
1 101.244.32.1 10.2.2.254 NHRP 02:47:05 S

Router result (Which is always up)

Interface: Tunnel2, IPv4 NHRP Details
Type:Spoke, NHRP Peers:3,

# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 101.244.32.6 10.2.2.12 UP 03:52:47 S
1 101.244.32.67 10.2.2.249 UP 00:02:37 D
1 101.244.32.1 10.2.2.254 UP 23:13:24 S

Note: These are the results when i am not sending any traffic through tunnels.