Juniper SRX HA Configuration for dual Internet circuits

So, we are refreshing our Internet edge infrastructure, and seeing as we're an all-Juniper shop, it made sense to go with the SRX platform. We picked SRX 1500's, as they seemed to meet our needs for an affordable price.

We're currently in the design phase of setting up how all of this is going to work. We're to get two DIA Fiber Circuits for our Internet Handoff. One will be a 10Gbps circuit, and the other a 1Gbps circuit.

We're currently weighing our options between doing an HA Cluster configuration, or leaving the two SRX's as stand-alone boxes with VRRP and iBGP between them. (LAN side will have a single, static default route pointed to a single gateway IP Address in either scenario.)

Based on our understanding of how the two configurations work, this is how the two different setups would look

Here are some of the pro's and con's we came up with between going Cluster Mode and going with stand-alone SRX's.

Cluster Mode Advantages

• Maintain state table between both boxes. (This helps sessions stay alive during failover events)

• You don't lose one of the Internet circuits if one of the SRX's goes down.

• Single management plane, so the routing and security policy configurations are simplified.

Cluster Mode Disadvantages

• Have to put a switch/switches north of the SRX's so that each Internet circuit can be fed Layer 2 to both SRX's. So this includes extra hardware/extra devices to manage.

• Single management plane could mean crash/failure/instability of both SRX's (but hopefully the new hardware with updated code would make this a non-factor)

• Adds the redundancy groups configuration to the boxes.

Stand-alone SRX Advantages

• We won't have to put any switches up north of the SRX's, so it saves us money, less devices/less equipment, etc.

• More maintenance friendly? (we can do maintenance on one SRX that won't affect the other)

• Some people like sticking to open standard stuff like VRRP and BGP (not sure if this qualifies as an advantage, but thought I'd throw it in there)

Stand-alone SRX Disadvantages

• Less redundancy - each Circuit is hard-tied to one SRX. If SRX-A goes down, we lose the 10 Gig circuit, period.

• More configuration, as far as setting up iBGP to share routes and VRRP to establish the gateway (this may be trivial configuration, but it's still more)

• Failover events would be noticed by users, since all the sessions would die and have to re-establish (first packet isn't SYN, etc.)

That's pretty much what we've come up with so far. We're including feedback from this community in part of the discussion process, so feel free to pick all this apart and tell us what we're over-looking, what we're wrong about, etc. I'm thinking there's probably a bunch more bullet points that could be added to a few of the sections.

Thanks for any help you guys give.