This is a controversial one:
We are trying to make a failover decision between two locations... Each site has a 2811 router AND a DSL backup to the Internet. Each site has an ASA connected to the 2811 to establish a VPN tunnel. The question centers on failover. Do we put the DSL line into a 2nd port on the ASA  at each location and try to use the track command to failover to the DSL? Or get a 2nd ASA for each site? Of course this gets involved when we bring up EIGRP with the internal network. Can the ASA track and interface and when it goes down, use the secondary interface to re-establish the VPN tunnel at the far end? This then begs the question, what if it's the OTHER SIDE of the tunnel that dies but the line itself is not down... How do we make use of a 2nd tunnel if a 2nd tunnel out the failover interface is even possible... Whew!