You may need to check the command "show datapath route-cache table | include mac address of the local" and repeat the same command on local to see the mac addres of the master and its VLAN as well.
If you want to futher enable debugging for "logging level debugging system process cfgm" on both controller and security process to look for what is missing out.
If you are able to ping check for phase I and Phase II ipsec traffic from show crypto isakmp sa & show crypto ipsec sa"
packet-capture udp 4500 & crypto isakmp packet-dump to see for ipsec traffic on the pcap.
It is worth to remove the config from both end and try to add the config of masterip back on local to reload and see how it goes.
Thank you.