With Netscreens there used to be an option to specify the 'src-interface' to a tunnel interface.  SRX's seem a bit more flexible as to how self-generated traffic is routed out the device.  Are you using a route-based VPN on the SRX's?  If so, do you have a route for the NSM server pointing over the ST interface?

I were facing the same problem (routing set, else I would not even be able to remotly connect to srx).

In short: I had to change the primary IP of the managed srx.

I actually had this configuration:

Remote Site:

Vlan0

- Subnet1 (LAN)

- Subnet2 (Secondary LAN)

Management Site:

- Subnet3 (NSM)

Ipsec SA was Subnet2/Subnet3.

I connected the nsm to the srx at the secondary IP. But the device did not report back.

With packet dump I could see that the device tried to connect to the remote site with the wrong ip adress: subnet1.

When I saw this, I changed the vlan0 to the second subnet as primary, then the device connected just fine.