Auto-failover is all very well, but if you can't trust it (and I've had various vendor's examples fail on me) then you might as well not bother, and just have a manual process instead.
Frankly even with active/active stuff, I tend to make sure I'm alerted just to check it did actually swap properly...
Yes I know, I'm paranoid...
Biting the hand that feeds IT
