acl replication between datacenters

[John F]

I'm in the process of rolling out 2 clusters in 2 datacenters. dc1 has been up and operational for a while now and dc2 is about to go live. im having trouble with the acl replication though and I'm not sure what to do to solve it. My situation on the secondary cluster looks like this:

curl http://localhost:8500/v1/acl/replication?pretty
{
    "Enabled": true,
    "Running": true,
    "SourceDatacenter": "dc1",
    "ReplicationType": "legacy",
    "ReplicatedIndex": 0,
    "ReplicatedRoleIndex": 0,
    "ReplicatedTokenIndex": 0,
    "LastSuccess": "0001-01-01T00:00:00Z",
    "LastError": "0001-01-01T00:00:00Z"
}

I'm not sure how to get the replication type to convert to token. According to the checks I've done on the primary dc all the tokens there have accessorIDs and as such should be able to replicate across.

The clusters are both Consul v1.6.1 and my understanding is that anything post 1.4 should automatically convert from legacy once all servers in the cluster are newer than 1.4, which they are.

The response from the following query is empty:

curl -sH "X-Consul-Token: $CONSUL_TOKEN" 'http://localhost:8500/v1/acl/tokens' | jq -r '.[] | select (.Legacy) | .AccessorID'

I don't know where else to look for the reason this isn't working. Does anyone have advice for what I can check next?

TIA

[John F]

As an additional troubleshooting step, I have since upgraded all clusters to v1.7.3. this has not changed the situation and im still unable to replicate the token db across clusters. This is preventing consul client agents in a secondary dc from being able to contact their local dc cluster to request new tokens, forcing everything to contact the primary dc for any acl-related tasks.