I agree with @Georg Pauwen, maybe you can try fixing the issue by erasing the device config and restore it from the backup as it looks to be a buggy behaviour. Alternatively I would try to raise it with TAC.

I've tried the control-plane policy, although that only affects closed ports (and drops the traffic instead of replying with port unreachable or TCP RST) and not open ones, so I removed that.

I finally solved the problem by rebooting the device with advsecurity license.

Maybe someone can open a bugreport, I can't because I am not a direct cisco contract customer.

If you've disabled the VPDN configuration and the related virtual-access interfaces but still find the PPTP and L2TP ports open, there might be other factors at play. Here are a few steps you can take to troubleshoot and stop those services:

1. **Verify Running Configuration**: Double-check the running configuration to ensure that the VPDN configuration is indeed removed. Sometimes changes might not take effect due to configuration errors or incomplete changes.

2. **Check for Other Services**: Review the running configuration for any other services or features that might be enabling PPTP and L2TP ports. Look for any NAT configurations, access lists, or other VPN-related configurations that might still be active.

3. **Restart Relevant Services**: If you've made changes to the configuration and they haven't taken effect, you can try restarting the relevant services. This can be done with the appropriate commands, such as 'clear vpdn' or 'clear vpdn session'. Be cautious when restarting services as it might temporarily interrupt network connectivity.

4. **Verify ACLs and NAT**: Ensure that there are no access control lists (ACLs) or NAT rules permitting traffic to the PPTP and L2TP ports. Even if the VPDN configuration is disabled, traffic might still be allowed through if there are other configurations permitting it.

5. **Review Running Processes**: Check the output of 'show processes' to see if there are any processes or services actively using the PPTP and L2TP ports. This might provide insight into what is keeping these ports open.

6. **Check for Bugs**: Sometimes, unexpected behavior can be caused by software bugs. Check Cisco's documentation and bug database to see if there are any known issues related to your router's software version and the services you're trying to disable.

If you've exhausted these troubleshooting steps and the ports are still open, it might be worth reaching out to Cisco's technical support for further assistance, as they can provide more specific guidance based on your router's configuration and environment.