Came across this issue which got me stumbled at first. I had a VTI tunnel to Azure with static route pointing to the next hop.
FTD# sh run route | i 10.16.0.0
route Tunnel10-Azure 10.16.0.0 255.255.0.0 10.2.80.2 1
Tunnel interface was up.
FTD# sh int ip br
Tunnel10 10.2.80.1 YES manual up up
However traffic was not flowing. Checking routing table found this.
FTD# sh route 10.16.20.13
Routing entry for 10.16.0.0 255.255.0.0
Known via “static”, distance 1, metric 0 (connected)
Routing Descriptor Blocks:
* 10.16.0.0, via outside
Route metric is 0, traffic share count is 1
Routing is pointing to the outside! Long story short, this subnet was part of the shared object-group used in crypto-maps. Crypto-map was build and applied to another peer using this object-group and by default FTD enables Reverse Route Injection (RRI).
Once RRI was disabled routing issues was resolved.