• VPN is terminating on a third party appliance
• VPN was working correctly prior to NSX Edge node failover 
• VPN may remain in UP status
• Traffic may appear to egress NSX but does not arrive at destination

VMware NSX

Appliances that support Anti Replay security features may block traffic after an Edge failover. Anti Replay checks for sequence numbers that are older than its configured window. When an Edge fails over the sequence numbers from the newly active Edge node may be lower than the window. These packets will be dropped. This may only apply to the ESP encrypted packets hence the tunnel may remain up. 

This is a condition that may occur in a VMware NSX environment.

It is recommended to check if your Anti Replay counters are increasing when this condition occurs. 
For example, on a Cisco ASA security appliance 

show crypto ipsec sa peer <NSX_Edge_IP> | include replay

Clearing the IPSec Security Association on the ASA will force a renegotiation. This resets the sequence numbers and restores traffic immediately.

clear crypto ipsec sa peer <NSX_Edge_IP>

Anti Replay can be disabled but will lower security by allowing replayed packets

crypto ipsec security-association replay disable