I am also seeing this bug on ISR4451-X running 16.06.05.
The exact same IPs, when used in an object-group are ignored but work fine when referenced directly in the ACL rule.
This fails:
object-group network MGMT-NETS-NETGRP
192.168.0.0 255.255.0.0
ip access-list extended VTY-IN-ACL
permit ip object-group MGMT-NETS-NETGRP any
line vty 0 4
access-class VTY-IN-ACL in vrf-also
But this works:
ip access-list extended VTY-IN-ACL
permit ip 192.168.0.0 0.0.255.255 any
line vty 0 4
access-class VTY-IN-ACL in vrf-also
This shows a match logged on the explicit IP rule:
object-group network MGMT-NETS-NETGRP
192.168.0.0 255.255.0.0
ip access-list extended VTY-IN-ACL
permit ip object-group MGMT-NETS-NETGRP any
permit ip 192.168.0.0 0.0.255.255 any log
line vty 0 4
access-class VTY-IN-ACL in vrf-also
*Mar 20 2019 11:59:47.978 ACDT: %SEC-6-IPACCESSLOGP: list VTY-IN-ACL permitted tcp 192.168.42.254(32974) -> 0.0.0.0(22), 1 packet
#show ip access-list VTY-IN-ACL
Extended IP access list VTY-IN-ACL
10 permit ip object-group PRIVATE-NETS-NETGRP any
20 permit ip 192.168.0.0 0.0.255.255 any (6 matches)