• After updating a policy-based VPN, to change a remote subnet from a /32 to a /29 network the /32 address was no longer accessible despite being within the range of the wider /29 network.
• After removing a remote subnet from a policy-based VPN and replacing it with a static route, traffic destined for the remote subnets was not routed to the interface associated with the static route.

VMware NSX Data center for vSphere

IPSec policy based VPN routing is not clearing down when VPN subnets are amended/moved/deleted.

This is a known issue impacting VMware NSX Data Center for vSphere.

Workaround
* Redeploy or reboot the Edge on which VPN is configured.
* If the edge is deployed in HA configuration, you can avoid redeploy or reboot by setting the active edge admin state to down to force failover to the standby edge, which will route the traffic as expected, then set the admin state of the edge back to up to restore HA functionality.