Yes that is the problem. I need to policy route on source address because of SAF and I use a separate routing table for the tunnels with a default to UCSD. This fails with that 44.24.240/20 with gateway 44.24.221.1 network. We are building a gateway for 44.137.0.0/16 which in fact has already been running since the summer but the process of getting the provider to agree to route BGP has taken much longer than anticipated. Anyway, this gateway (which of course is not affected by SAF itself) has a separate public IP (194.109.64.198) for use by the IPIP tunnels to other gateways. I think that is a better method, it avoids lots of confusion and complicated policy routing rules. Maybe the routing will work again once we have our country gateway up and running with BGP and direct outbound routing of net-44 traffic (without having to tunnel to UCSD). I plan to work out a routing configuration without separate net-44 routing table at that time. Rob