During an upgrade to NSX for vSphere 6.4.6 with an sni related rule or when you are creating or configuring a new sni related rule in this version, you experience these symptoms:
VMware NSX for vSphere 6.4.x
This issue occurs because the sni rule with the keywords: req_ssl_sni, req.ssl_sni, ssl_fc_sni, ssl_fc_has_sni, are broken in NSX for vSphere 6.4.6.
The regular expression used to support LB application rule sni expression in 6.4.6, is not strict enough.
This issue is resolved in VMware NSX Data Center for vSphere 6.4.7, available at Broadcom Downloads.
If you are having difficulty finding and downloading software, please review the Download Broadcom products and software KB.
To workaround this issue: