Ping failing between ER-4 and SRX320 despite correct OSPF routes showing in RIB

I have multiarea OSPF setup between an ER-4 and a SRX320 and inter-area routes are showing up, but I can't ping any of those inter-area subnets from the ER-4. I can ping from the SRX subnets to the ER-4, but pinging to the SRX subnets from behind the ER-4 fails. OSPF seems to be setup properly, the interface connections all seem to be fine, the correct routes are being added to the route table.

ER-4 Config:

firewall { all-ping enable broadcast-ping disable ipv6-name WANv6_IN { default-action drop description "WAN inbound traffic forwarded to LAN" enable-default-log rule 10 { action accept description "Allow established/related sessions" state { established enable related enable } } rule 20 { action drop description "Drop invalid state" state { invalid enable } } } ipv6-name WANv6_LOCAL { default-action drop description "WAN inbound traffic to the router" enable-default-log rule 10 { action accept description "Allow established/related sessions" state { established enable related enable } } rule 20 { action drop description "Drop invalid state" state { invalid enable } } rule 30 { action accept description "Allow IPv6 icmp" protocol ipv6-icmp } rule 40 { action accept description "allow dhcpv6" destination { port 546 } protocol udp source { port 547 } } } ipv6-name lanv6 { default-action accept } ipv6-name localv6 { default-action accept } ipv6-name wanv6_lan { default-action drop enable-default-log rule 10 { action accept description established/related state { established enable related enable } } rule 20 { action drop description invalid state { invalid enable } } } ipv6-name wanv6_local { default-action drop enable-default-log rule 10 { action accept description established/related state { established enable related enable } } rule 20 { action drop description invalid state { invalid enable } } rule 30 { action accept description "Allow IPv6 icmp" protocol ipv6-icmp } rule 40 { action accept description "allow dhcpv6" destination { port 546 } protocol udp source { port 547 } } } ipv6-receive-redirects disable ipv6-src-route disable ip-src-route disable log-martians enable name WAN_IN { default-action drop description "WAN to internal" rule 10 { action accept description "Allow established/related" state { established enable related enable } } rule 20 { action drop description "Drop invalid state" state { invalid enable } } } name WAN_LOCAL { default-action drop description "WAN to router" rule 10 { action accept description "Allow established/related" state { established enable related enable } } rule 20 { action drop description "Drop invalid state" state { invalid enable } } } receive-redirects disable send-redirects enable source-validation disable syn-cookies enable } interfaces { ethernet eth0 { address dhcp description Internet dhcpv6-pd { pd 0 { interface eth1 { host-address ::1 prefix-id :1 service slaac } interface eth2 { host-address ::1 prefix-id :2 service slaac } interface eth3.10 { host-address ::1 prefix-id :3 service slaac } interface eth3.15 { host-address ::1 prefix-id :4 service slaac } prefix-length /60 } rapid-commit enable } duplex auto firewall { in { ipv6-name WANv6_IN name WAN_IN } local { ipv6-name WANv6_LOCAL name WAN_LOCAL } } speed auto } ethernet eth1 { address 192.168.15.1/24 description Local duplex auto ipv6 { dup-addr-detect-transmits 1 router-advert { cur-hop-limit 64 link-mtu 0 managed-flag false max-interval 600 other-config-flag false prefix ::/60 { autonomous-flag true on-link-flag true valid-lifetime 2592000 } reachable-time 0 retrans-timer 0 send-advert true } } speed auto } ethernet eth2 { address 10.10.10.1/30 description "Local 2" duplex auto ip { ospf { dead-interval 40 hello-interval 10 network broadcast priority 1 retransmit-interval 5 transmit-delay 1 } } speed auto } ethernet eth3 { duplex full speed 1000 } loopback lo { address 10.255.255.1/32 } } protocols { ospf { area 0 { area-type { normal } network 192.168.15.0/24 network 10.10.10.0/30 } parameters { abr-type cisco router-id 10.255.255.1 } } } service { dhcp-server { disabled false hostfile-update disable shared-network-name LAN1 { authoritative enable subnet 192.168.15.0/24 { default-router 192.168.15.1 dns-server 192.168.15.1 dns-server 1.1.1.1 lease 86400 start 192.168.15.38 { stop 192.168.15.243 } static-mapping CentOS { ip-address 192.168.15.52 mac-address 20:25:64:3c:1c:66 } static-mapping DESKTOP-84K1ME3 { ip-address 192.168.15.41 mac-address 70:8b:cd:2e:c1:c0 } static-mapping DESKTOP-88BL9UN { ip-address 192.168.15.39 mac-address 18:1d:ea:ff:d1:c9 } static-mapping ES-8-150w { ip-address 192.168.15.44 mac-address 74:83:c2:15:c1:64 } } } static-arp disable use-dnsmasq disable } dhcpv6-server { } dns { forwarding { cache-size 150 listen-on eth1 listen-on eth2 } } gui { http-port 80 https-port 443 older-ciphers enable } nat { rule 5010 { description "masquerade for WAN" outbound-interface eth0 type masquerade } } ssh { port 22 protocol-version v2 } unms { disable } } system { gateway-address 173.61.5.1 host-name ubnt login { user admin { authentication { encrypted-password $6$cTDYN93M6w2$XsffGtfkBaM.lCUhaQt34VW7poAvpcxd7LqYgQQyLuw0wYjEmoCJgOayPtXIEvIJL.a.qvoSyfLxBMacm9GqG/ plaintext-password "" } level admin } user ubnt { authentication { encrypted-password $1$zKNoUbAo$gomzUbYvgyUMcD436Wo66. } full-name "" level operator } } ntp { server 0.ubnt.pool.ntp.org { } server 1.ubnt.pool.ntp.org { } server 2.ubnt.pool.ntp.org { } server 3.ubnt.pool.ntp.org { } } offload { hwnat disable ipsec enable ipv4 { forwarding enable } ipv6 { forwarding enable } } static-host-mapping { } syslog { global { facility all { level notice } facility protocols { level debug } } } time-zone America/New_York } traffic-control { } vpn { ipsec { auto-firewall-nat-exclude enable } } 

SRX320 Current Config:

version 18.3R1.9; groups { global { security { policies { default-policy { permit-all; } } } } } system { root-authentication { encrypted-password "$6$zPzxSn6o$7caaG.fC3St4qMNwe17CM6txBX1u5xvxnBXuPZGphyn9jVH1x6Vb0mPQmePNGncoQy8Zu3hru53IinPAXtPIA/"; ## SECRET-DATA } host-name SRX-FW1; auto-snapshot; name-server { 1.1.1.1; 1.0.0.1; } services { ssh { root-login allow; } netconf { ssh; } dhcp-local-server { group VLAN10 { interface ge-0/0/6.10; } group VLAN15 { interface ge-0/0/6.15; } group VLAN20 { interface ge-0/0/6.20; } } web-management { https { system-generated-certificate; } } } syslog { archive size 100k files 3; user * { any emergency; } file messages { any notice; authorization info; } file interactive-commands { interactive-commands any; } } max-configurations-on-flash 5; max-configuration-rollbacks 5; license { autoupdate { url https://ae1.juniper.net/junos/key_retrieval; } } phone-home { server https://redirect.juniper.net; rfc-compliant; } } security { log { mode stream; report; } forwarding-options { family { inet6 { mode flow-based; } } } screen { ids-option unt-scr { icmp { ping-death; } ip { source-route-option; tear-drop; } tcp { syn-flood { alarm-threshold 1024; attack-threshold 200; source-threshold 1024; destination-threshold 2048; timeout 20; } land; } } } policies { from-zone trust to-zone trust { policy trust-to-trust { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone trust to-zone untrust { policy trust-to-untrust { match { source-address any; destination-address any; application any; } then { permit; } } } } zones { security-zone trust { host-inbound-traffic { system-services { all; } } interfaces { ge-0/0/0.0; ge-0/0/1.0; ge-0/0/2.0; ge-0/0/3.0; ge-0/0/4.0; ge-0/0/5.0; ge-0/0/6.5 { host-inbound-traffic { system-services { dhcp { except; } dhcpv6 { except; } bootp { except; } all; } } } ge-0/0/6.10 { host-inbound-traffic { system-services { ssh { except; } all; } protocols { ospf; } } } ge-0/0/6.15 { host-inbound-traffic { system-services { ssh { except; } all; } protocols { ospf; } } } ge-0/0/6.20 { host-inbound-traffic { system-services { ssh { except; } all; } protocols { ospf; } } } ge-0/0/6.21 { host-inbound-traffic { system-services { all; ssh { except; } } protocols { ospf; } } } } } security-zone untrust { screen unt-scr; host-inbound-traffic { system-services { all; } } interfaces { ge-0/0/7.0 { host-inbound-traffic { protocols { ospf; router-discovery; igmp; } } } } } } } interfaces { interface-range ALLINT { member-range ge-0/0/0 to ge-0/0/7; speed 1g; link-mode full-duplex; } ge-0/0/0 { unit 0 { family inet; family inet6; } } ge-0/0/1 { unit 0 { family inet; family inet6; } } ge-0/0/2 { unit 0 { family inet; family inet6; } } ge-0/0/3 { unit 0 { family inet; family inet6; } } ge-0/0/4 { unit 0 { family inet; family inet6; } } ge-0/0/5 { unit 0 { family inet; family inet6; } } ge-0/0/6 { vlan-tagging; unit 5 { vlan-id 5; family inet { address 10.0.0.1/28; } } unit 10 { vlan-id 10; family inet { address 192.168.25.1/24; } } unit 15 { vlan-id 15; family inet { address 172.30.30.1/24; } } unit 20 { vlan-id 20; family inet { address 172.19.20.1/24; } } unit 21 { vlan-id 21; family inet { address 10.10.20.1/30; } } } ge-0/0/7 { unit 0 { family inet { address 10.10.10.2/30; } family inet6; } } cl-1/0/0 { dialer-options { pool 1 priority 100; } } dl0 { unit 0 { family inet { negotiate-address; } family inet6 { negotiate-address; } dialer-options { pool 1; dial-string 1234; always-on; } } } lo0 { unit 0 { family inet { address 10.255.255.2/32; } } } } routing-options { static { route 0.0.0.0/0 next-hop 10.10.10.1; } router-id 10.255.255.2; autonomous-system 65356; } protocols { router-advertisement { interface ge-0/0/7.0; } ospf { area 0.0.0.0 { interface ge-0/0/7.0; interface lo0.0 { passive; } } area 0.0.0.1 { interface ge-0/0/5.0; interface ge-0/0/6.10; } area 0.0.0.2 { interface ge-0/0/4.0; interface ge-0/0/3.0; interface ge-0/0/6.15; } area 0.0.0.3 { interface ge-0/0/2.0; interface ge-0/0/1.0; interface ge-0/0/6.20; } } l2-learning { global-mode switching; } lldp { interface all; } } policy-options { prefix-list SSH_IP_LIST { 192.168.15.39/32; 192.168.15.41/32; } } firewall { filter SSH_IP_FILTER { term 1 { from { address { 0.0.0.0/0; } prefix-list { SSH_IP_LIST except; } destination-port ssh; } then { discard; } } term default { then accept; } } } access { address-assignment { pool VLAN20 { family inet { network 172.19.20.0/24; range irb20_NET { low 172.19.20.10; high 172.19.20.200; } dhcp-attributes { name-server { 1.1.1.1; 1.0.0.1; } router { 172.19.20.1; } } } } pool VLAN15 { family inet { network 172.30.30.0/24; range irb15_NET { low 172.30.30.10; high 172.30.30.200; } dhcp-attributes { name-server { 1.1.1.1; 1.0.0.1; } router { 172.30.30.1; } } } } pool VLAN10 { family inet { network 192.168.25.0/24; range irb10_NET { low 192.168.25.10; high 192.168.25.200; } dhcp-attributes { name-server { 1.1.1.1; 1.0.0.1; } router { 192.168.25.1; } } } } } } vlans { VLAN10 { vlan-id 10; } VLAN15 { vlan-id 15; } VLAN20 { vlan-id 20; } VLAN21 { vlan-id 21; } VLAN5 { description "Server Management Vlan"; vlan-id 5; } } 

ER-4 route table:

Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 > - selected route, * - FIB route, p - stale info IP Route Table for VRF "default" S *> 0.0.0.0/0 [210/0] via 173.61.5.1, eth0 C *> 10.10.10.0/30 is directly connected, eth2 C *> 10.255.255.1/32 is directly connected, lo O *> 10.255.255.2/32 [110/1] via 10.10.10.2, eth2, 00:22:18 C *> 127.0.0.0/8 is directly connected, lo O IA *> 172.19.20.0/24 [110/2] via 10.10.10.2, eth2, 00:22:18 O IA *> 172.30.30.0/24 [110/2] via 10.10.10.2, eth2, 00:22:18 C *> 173.61.5.0/24 is directly connected, eth0 C *> 192.168.15.0/24 is directly connected, eth1 O IA *> 192.168.25.0/24 [110/2] via 10.10.10.2, eth2, 00:22:18 

SRX320 route table:

inet.0: 16 destinations, 16 routes (16 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 0.0.0.0/0 *[Static/5] 00:23:10 > to 10.10.10.1 via ge-0/0/7.0 10.0.0.0/28 *[Direct/0] 01:27:08 > via ge-0/0/6.5 10.0.0.1/32 *[Local/0] 01:27:08 Local via ge-0/0/6.5 10.10.10.0/30 *[Direct/0] 00:23:10 > via ge-0/0/7.0 10.10.10.2/32 *[Local/0] 00:23:10 Local via ge-0/0/7.0 10.10.20.0/30 *[Direct/0] 01:27:08 > via ge-0/0/6.21 10.10.20.1/32 *[Local/0] 01:27:08 Local via ge-0/0/6.21 10.255.255.2/32 *[Direct/0] 4d 21:29:50 > via lo0.0 172.19.20.0/24 *[Direct/0] 01:27:08 > via ge-0/0/6.20 172.19.20.1/32 *[Local/0] 01:27:08 Local via ge-0/0/6.20 172.30.30.0/24 *[Direct/0] 01:27:08 > via ge-0/0/6.15 172.30.30.1/32 *[Local/0] 01:27:08 Local via ge-0/0/6.15 192.168.15.0/24 *[OSPF/10] 00:22:13, metric 2 > to 10.10.10.1 via ge-0/0/7.0 192.168.25.0/24 *[Direct/0] 01:27:08 > via ge-0/0/6.10 192.168.25.1/32 *[Local/0] 01:27:08 Local via ge-0/0/6.10 224.0.0.5/32 *[OSPF/10] 4d 21:29:50, metric 1 MultiRecv 

Any help is appreciated. I'll provide any further details as needed.