1 - Well you could always have the other one as the actual Firewall and the other one as the VPN device (then ofcourse no Failover) This again though would leave you without a backup device for the main firewall (or the VPN for that matter). Though I got the picture this was already the case with current PIX515E and VPN concentrator?
2 - We have both kind of setups. Firewall and VPN services together and both on separate devices. My personal preference is that they are kept separate. This simplifies, to me atleast, handling each device. When they dont contain alot of configurations that are tied to eachother
Then again we have setups where we have maybe 20 L2L-VPNs and tens of SSL VPN Client users and the Firewall functionality in the same Failover ASA pair and they work just as fine.
So far the only problem/lacking thing the ASAs is the fact that you can't really do PBR or they arent VRF aware which would help alot in some situations. (I know they aren't meant to be routers )
Though we do also have a VPN modules for 7600 -series that let us use VRFs to our advantage.
3 - I think Cisco just released models of ASAs that will replace the 5510 - 5550 range of current ASAs. They have builtin IPS in every model I think. Think the models are 5512-X, 5515-X, 5525-X, 5545-X and 5555-X
Here is a link to FAQ of the ASA service module for 6500 -series
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...