You are running into one of the fun, new, restrictions of the ISR Generation 2.
I assume you have the basic "security" licensing package installed as noted by this part of the message:
securityk9 technology package license
However the securityk9 package is Cisco's "unrestricted export" version of that license, and will artificially limit you. You need the hseck9 package. See this white paper for more information. It says in part:
The HSEC-K9 license removes the curtailment enforced by the U.S. government export restrictions on the encrypted tunnel count and encrypted throughput. HSEC-K9 is available only on the Cisco 2921, Cisco 2951, Cisco 3925, Cisco 3945, Cisco 3925E, and Cisco 3945E.
With the HSEC-K9 license, the ISR G2 router can go over the curtailment limit of 225 tunnels maximum for IP Security (IPsec) and encrypted throughput of 85-Mbps unidirectional traffic in or out of the ISR G2 router, with a bidirectional total of 170 Mbps.
The Cisco 1941, 2901, and 2911 already have maximum encryption capacities within export limits. The HSEC license requires the universalk9 image and the SEC license pre-installed.
A quick way to check which license you have, is to issue the following command on your router:
show license feature
This will show you which licenses you have purchased from Cisco and installed on this router. You need to make sure that the hseck9 license is enabled. Otherwise you will be limited to that 85Mbps limit for encrypted traffic. Which on circuits below 100Mbps, might not be an issue, and you could safely ignore this problem. Either way, see this page for more information on installing the new license once you purchase it.
Another handy command for troubleshooting this is:
show platform cerm-information
This will either spit out a list of information about the limits in place, including the failed encrypt/decrypt packet counts, or it will give you the following:
router-1#show platform cerm-information
Crypto Export Restrictions Manager(CERM) Information:
CERM functionality: DISABLED
More information on this command here.
Best Answer
The answer is most likely in your question subject.
If you change the route priority at the spoke so that traffic comes in via the VPN/Firewall, then return traffic will still most likely leave via the MPLS network (if nothing else changes).
Your VPN firewall is most likely stateful, and will only have half a session in it's flow table eg: it will see the SYN, but no SYN/ACK, then when the client at the spoke sends the final ACK, the firewall will drop it because it is not in sync with the handshake.