Symptom:
The Group-Member is noticed to exhibit erratic behavior with respect to deny policies:
On ISR-4300:
- Outbound traffic will hit the deny-policy and go out in clear-text, however
- While dealing with the return clear-text traffic, the deny policies may get ignored, and the router may start dropping it with "IPSEC-3-RECVD_PKT_NOT_IPSEC"

ASR1k:
A) When the KS sends a policy as follows [As long as SW TCAM is being used due to Huge-Deny ACL entries]:
deny tcp any eq 22 any
deny tcp any any eq 22
permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

- Here, the ASR sends all TCP traffic [ex: SSH as well as HTTP] unencrypted, as though it is disregarding the port

B) when the Policy config is such that: 

KS pushes:
permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

Local deny policy is:
deny tcp any eq 22 any
deny tcp any any eq 22

- Here, ASR does not look at the local deny policy at all, and sends all the traffic [matching the permit policy] encrypted.

Conditions:
IOS-XE [ISR 4300 or ASR1k] on XE 3.13 configured as GetVPN Group-Member, where either SW-TCAM is used by default for the platform or the deny policy is so huge that HW-TCAM cannot accommodate the policy, hence failing back to SW-TCAM.