The EX switch is indeed doing routing. Infant, the switches are participating in OSPF.
A little background - From our HQ we have two IPSec VPNs to the DR site. One VPN tunnel carries all data traffic and the other VPN tunnel is used to access the OOB network. There are lot of devices on the OOB network including other network hardware and servers accessible via IPMI (iLOMs, iDRACs etc.). We can access all the other devices EXCEPT the EX3200 switches.
Because the routing instance is being shared, and the switch is participating in OSPF, the front routing interfaces know the path back to the HQ via the copper ports. So, I try to SSH into the switch's Management interface, the switch receives my initial SYN packet, and responds with a SYN, ACK but sends this packet out via the front copper interfaces with a source address of the management interface.
I have verified this behavior with wireshark packet captures and my firewall logs. (firewall logs this behavior as suspicious and drops the SYN, ACK as the initial SYN packet was not handled by it)
Contacting JTAC for assistance on this issue was a complete waste of time. The person I spoke with had no idea about OOB framework and why it is important. In fact he was down right condescending and told me I did not understand the concept of a dedicated management interface. He wouldn't listen to me and everytime I tried to explain what I was trying to do, he just responded back with canned responses. I have a feeling he was just reading back from some sort of technical document about what the management interface can and cannot be used for.
At this point the best solution seems to be from "wimclend", that is to assign one of the copper interfaces to a separate routing instance and use that to manage the switch. But is is surprising that Juniper is not supporting this feature which has been around for quite some time now.
Having a dedicated OOB interface was one of the reasons we choose the EX3200. As of writing this post, I am using a policy based NAT to manage the EX3200 to make it seem like I am managing them from the same subnet as the OOB network.
This has been a setback for us and we had to push back our live dates by a couple of days. However, I don't think Juniper is going to be on the table the next time we make a purchase or an upgrade.