We have a pair of 5520s set as active/standby both have a AIP-SSM.
Both AIP's are set to auto update the sig files so thats not an issue but what about the active detection? The primary IPS will have seen a lot of traffic that the failover IPS has not how will the active rule sets be effected when the ASA fails over to the standby unit? Will I have "holes" in my security from missing rule sets?
The IPS units are completely independant and won't synchronise anything without extra help (e.g. by using Security Manager or suchlike).
Having them auto-update is good, but you also need to make sure all the config is replicated, so when you make a change on one you have to remember to make the same change on the other.
In the normal situation the active IPS is forwarding traffic (and the standby sees nothing) but when they failover the standby IPS is suddenly in the active ASA - it doesn't know that the other IPS is out of action, it just sees traffic which it will inspect according to it's configuration.