Thanks for confirmation. I was running into this same issue in my lab. I felt like it was VMware side config that was causing the issue since the 9k configs were identical where appropriate. I know the config works on real gear.
I would discourage the use of the any keyword as well. You can't use object groups in crypto ACLs on routers.https://supportforums.cisco.com/discussion/11110466/ios-15-vpn-site-site-acls-object-groupshttp://www.cisco.com/c/en/us/td/docs/ios/sec_data_...