Hi,

I have a pair of HA ASA and 2960 switch stack (two member). As shown in the rough diagram, I am using Port 1 of each ASA connecting to Port 47 of the switch stack; Port 2 of each ASA connecting to Port 48 of the switch stack. The port-channel is configured as Trunk on ASA with multiple sub-interface for each VLAN. ASA is the gateway for each VLAN and ASA is running 9.8.2 code.

My question is: do I configure on etherchannel on switch stack for all four ports like in diagram OR do I configure two etherchannels: one for the ports connecting to Primary ASA and another one for ports connecting to Secondary ASA?

If one etherchannel is fine, then my problem is I can not ping the standby IP configured on the port-channel sub-interface. Below is a sample for VLAN 100 on ASA:

interface GigabitEthernet1/1
  channel-group 10 mode active
  no nameif
  no security-level
  no ip address
  no shut
!
interface GigabitEthernet1/2
  channel-group 10 mode active
  no nameif
  no security-level
  no ip address
  no shut
!
interface Port-channel10.100
  vlan 100
  nameif inside-data
  security-level 100
  ip address 192.168.100.254 255.255.255.0 standby 192.168.100.253

Here below is the corresponding configure on the SW:

interface Port-channel10
 description Uplink to FW
 switchport mode trunk

!

interface range GigabitEthernet1/0/47-48, Gig2/0/47-48
 description Uplink to FW
 switchport mode trunk
 channel-group 10 mode active

I can ping 192.168.100.254 but not the 192.168.100.253.

Suggestions?