Weird Routing Issue

I have an issue in the network below where R3 can't reach R1 (in that direction only). R1 can reach R3 (as verified with a debug for ICMP pings).

I have a 3 routers and a FW in this setup, and the dmvpn goes from r1 to r2 via the firewall (using NAT, and has a temporary policy to allow any any traffic in any direction to elimate any FW policy problems).  The DMVPN is is up and working, I can even telnet from R2 to R1 and visa versa.  However I cannot bidirectionally send traffic from R1 to R3.  The setup is drawn below

R1 ---- FW --(internet)---- R2 --------R3

I can ping between R1 and R2 on the tunnel interface (i.e. DMVPN is up and working).  ALSO, I used some ip icmp debugs on R3.  R1 can ping R3 one way (I see the ICMP hit R3 with a source IP of the tunnel interface on R1).  R3 sends an icmp echo  reply back, but it never makes it back to R1 (you will see this in the outputs below).  The traceroute shows that R3 reaches R2, but R2 doesn't forward the packet.  

R2 (dmvpn hub)

interface GigabitEthernet0/1

 description R2 - Outside Int.

 bandwidth 10000

 ip address 40.75.40.31 255.255.255.0

 ip flow ingress

 ip flow egress

 duplex full

 speed 1000

 no cdp enable

end

interface GigabitEthernet0/0

 description R2 - Inside Int towards R3

 ip address 172.24.209.2 255.255.255.252

 no ip split-horizon

 ip ospf network point-to-point

 duplex full

 speed 1000

interface Tunnel0

 bandwidth 10000

 ip address 172.24.210.1 255.255.255.0

 no ip redirects

 ip mtu 1400

 ip flow ingress

 ip flow egress

 ip nhrp authentication xxx

 ip nhrp map multicast dynamic

 ip nhrp network-id 1

 ip tcp adjust-mss 1360

 no ip split-horizon eigrp 90

 ip ospf network broadcast

 ip ospf cost 40

 ip ospf hello-interval 30

 ip ospf priority 150

 keepalive 10 3

 tunnel source GigabitEthernet0/1

 tunnel mode gre multipoint

 tunnel key 0

 tunnel path-mtu-discovery

 tunnel protection ipsec profile DMVPN

R1#sh dmvpn

Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete

        N - NATed, L - Local, X - No Socket

        # Ent --> Number of NHRP entries with same NBMA peer

        NHS Status: E --> Expecting Replies, R --> Responding

        UpDn Time --> Up or Down Time for a Tunnel

==========================================================================

Interface: Tunnel0, IPv4 NHRP Details

IPv4 NHS: 172.24.210.1 RE

Type:Spoke, Total NBMA Peers (v4/v6): 1

 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb    Target Network

----- --------------- --------------- ----- -------- ----- -----------------

    1   40.75.40.31    172.24.210.1    UP 00:24:18    S    172.24.210.1/32

interface Tunnel0

 description Tunnel to R2

 ip address 172.24.210.28 255.255.255.0

 no ip redirects

 ip mtu 1400

 ip nhrp authentication xxx

 ip nhrp map 172.24.210.1 40.75.40.31

 ip nhrp map multicast 40.75.40.31

 ip nhrp network-id 1

 ip nhrp holdtime 600

 ip nhrp nhs 172.24.210.1

 ip tcp adjust-mss 1360

 ip ospf network broadcast

 ip ospf cost 100

 ip ospf hello-interval 30

 ip ospf priority 0

 load-interval 30

 keepalive 10 3

 tunnel source FastEthernet0/0.1

 tunnel mode gre multipoint

 tunnel key 0

 tunnel protection ipsec profile DMVPN shared

end

interface FastEthernet0/0.1

 encapsulation dot1Q 10 native

 ip address 172.26.156.1 255.255.255.0

 ip ospf network point-to-point

R1#ping 172.24.209.2 (ping to R2's inside interface)

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.24.209.2, timeout is 2 seconds:

!!!!!

//debug ip icmp output (on R2) when I ping from R1 to R2's inside interface

Jan 19 21:42:00.797: ICMP: echo reply sent, src 172.24.209.2, dst 172.24.210.28, topology BASE, dscp 0 topoid 0

Jan 19 21:42:00.833: ICMP: echo reply sent, src 172.24.209.2, dst 172.24.210.28, topology BASE, dscp 0 topoid 0

Jan 19 21:42:00.873: ICMP: echo reply sent, src 172.24.209.2, dst 172.24.210.28, topology BASE, dscp 0 topoid 0

Jan 19 21:42:00.909: ICMP: echo reply sent, src 172.24.209.2, dst 172.24.210.28, topology BASE, dscp 0 topoid 0

R1#ping 172.24.209.1 (to R3's interface that connects to R2, notice it's the same subnet as before)

//debug ip icmp output (on R3) when I ping from R1 to R3

1112349: Jan 19 21:42:03.597 GMT: ICMP: echo reply sent, src 172.24.209.1, dst 172.24.210.28

1112350: Jan 19 21:42:05.593 GMT: ICMP: echo reply sent, src 172.24.209.1, dst 172.24.210.28

1112351: Jan 19 21:42:07.593 GMT: ICMP: echo reply sent, src 172.24.209.1, dst 172.24.210.28

1112352: Jan 19 21:42:09.593 GMT: ICMP: echo reply sent, src 172.24.209.1, dst 172.24.210.28

06680r1#show ip route 172.24.209.2

Routing entry for 172.24.0.0/16

  Known via "ospf 100", distance 110, metric 140

  Tag 555, type extern 1

  Last update from 172.24.210.1 on Tunnel0, 00:00:16 ago

  Routing Descriptor Blocks:

  * 172.24.210.1, from 172.24.210.1, 00:00:16 ago, via Tunnel0

      Route metric is 140, traffic share count is 1

      Route tag 555