Thanks! That's really helpful. Is it likely to be a firmware issue that is causing that error to be thrown in CNA?

my opinion its a CNA issue the software is not the best to say the least ,its buggy and there always issues with it , I don't personally use it but I have seen so many variety of bugs with it on the forum 

If you cant get it working just build the ether channel through cli , I can assist you with that but not fixing CNA , even TAC will tell you ..ah its probably the software will be fixed in next release , you could roll back a CNA version to 6.2 or 1 see if the same bug is there may not be

Heh, I did wonder as much. All my switch/router CLI configuration experience is in Vyatta, so these inherited Cisco switches are black magic for me; hence reaching out to a GUI. I'll attempt a firmware update next week.

Thanks for the offer for helping with creating an EtherChannel via the CLI! The downstream devices for which I need to create an EtherChannel are WatchGuard Firebox firewalls. They support 802.3ad; will this allow me to avoid having to manually create an EtherChannel?

Thanks for those commands - you put me in the right place to start getting a grip of the CLI. I've got a new EtherChannel for the WatchGuard now :)

Using a ping -t test, I can see that traffic continues to flow when one interface gets unplugged. Although I do notice when I unplug one particular interface that the ping is lost momentarily before continuing...but I think that might just be because the cable I'm unplugging is on the same switch in the stack as my traffic was coming from.

You can alter your load balancing in CLI for port-channels its recommended to use this , the reason being its at layer 4 - 7  and works better for LB , that may help it rather than the default LB settings , its good practice to use that anyway with etherchannels

(conf t)port-channel load-balance src-dst-port

Using a ping -t test, I can see that traffic continues to flow when one interface gets unplugged. Although I do notice when I unplug one particular interface that the ping is lost momentarily before continuing...but I think that might just be because the cable I'm unplugging is on the same switch in the stack as my traffic was coming from.

That may be the issue it could be checking STP momentarily hard to say without debugging it  , as long as its only a ping or two you should be fine unless there is highly sensitive apps behind it that would notice a very quick drop , most wont have an issue with it

We're set to src-dst-ip at the moment... so using src-dst-port/MAC address is better? We already have 4 EtherChannels configured (before my time) for our ESXi Blade enclosure, so I don't particularly wish to change the load balance mode.

that's your choice you can set it as you want , im just giving what TAC recommend to us , it worked out a lot better for us in terms of load balancing when your checking the flow of traffic , the issue with use src dst ip , is traffic can constantly use just the same link rather than utilizing both or more in the bundle , kinda not using the LB feature but still you have resiliency with multiple links  , something to check anyway your not just seeing traffic flowing constant on 1 link , it can depend on your architecture too  

Src-dst-ip: Traffic is distributed to bundled links according to source and destination IP address combination. Therefore, in networks where traffic originates from many different sources destined for the same or different destinations, is distributed in a balance way across aggregated links.

• Src-dst-mac: Traffic distribution is based upon source and destination mac-address combination. This method accomplishes fair load distribution only in cases that only Layer 2 switching takes place, and traffic route patterns do not cross router interfaces.

• Src-dst-port: In case that we have most of the traffic traversing constant end-devices distributing traffic based on source and destination ports might be the better solution to achieve better load balancing between aggregated links.