I've seen some odd situations where vpn tu does not seem to correctly remove SAs as directed, in those cases these commands via vpn shell have worked for me:
vpn shell /tunnels/delete/IKE/peer/[peer ip]
vpn shell /tunnels/delete/IPsec/peer/[peer ip]
Typically vpn shell is associated with route-based VPNs but it works for domain-based VPNs too.
--
CheckMates Break Out Sessions Speaker
CPX 2019 Las Vegas & Vienna - Tuesday@13:30
Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com