I have a tunnel from Cisco IOS-XE (SDWAN) to Zscaler configured. The crypto phases are up (IKEv2 and IPSec), however the VTI is down:

swn-01#sho crypto ipsec sa interface Tunn11

interface: Tunnel11
Crypto map tag: Tunnel11-head-0, local addr 10.241.173.228

protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 165.225.50.19 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 10.241.173.228, remote crypto endpt.: 165.225.50.19
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet1
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none

swn-01#sho ip int br | inc Tunnel11
Tunnel11 169.254.0.2 YES other up down

swn-01#sho run | inc route
ip route 4.2.2.2 255.255.255.255 Tunnel11

swn-01#sh run int Tunn11
Building configuration...

Current configuration : 281 bytes
!
interface Tunnel11
description tunnel1toZscaler
ip address 169.254.0.2 255.255.255.252
ip mtu 1500
tunnel source GigabitEthernet1
tunnel mode ipsec ipv4
tunnel destination 165.225.50.19
tunnel path-mtu-discovery
tunnel protection ipsec profile zscaler-ipsec-profile
end

Any idea why the VTI will not come up?