Hi,
You are correct in that you must have a unique IP for each VSI when using active/active NSRP and then a seperate route from the cisco router to each VSI IP.
A VSI interface is created to have a floating IP address between the firewalls.
For example:
SSG1
Eth 0/1:1 10.1.1.1 (active IP)
Eth 0/1:2 10.1.1.2 (backup IP)
Eth 0/2:1 2.2.2.1 (active IP)
Eth 0/2:2 2.2.2.2 (backup IP)
SSG2
Eth 0/1:1 10.1.1.1 (backup IP)
Eth 0/1:2 10.1.1.2 (active IP)
Eth 0/2:1 2.2.2.1 (backup IP)
Eth 0/2:2 2.2.2.2 (active IP)
If SSG 1 fails then SSG2 will take over the active IP addresses on SSG1
SSG1 (down)
Eth 0/1:1 10.1.1.1
Eth 0/1:2 10.1.1.2
Eth 0/2:1 2.2.2.1
Eth 0/2:2 2.2.2.2
SSG2
Eth 0/1:1 10.1.1.1 (active IP)
Eth 0/1:2 10.1.1.2 (active IP)
Eth 0/2:1 2.2.2.1 (active IP)
Eth 0/2:2 2.2.2.2 (active IP)
A redundant interface is where you have two interfaces on a SSG plugging into the same network and you want to have failover on those before failing over to another firewall. Creating a full mesh senario.
SSG1
Red.1 eth0/1 (active)
Red.1 eth0/2 (backup)
Red.1 IP 10.1.1.1
If eth 0/1 fails then eth0/2 will take over. If you have a pair of SSGs then only if eth 0/1 and eth 0/2 fail then the ssg will failover to the other SSG.
Have a look in the concepts and examples under High availability and look at the Active/Active full-mesh configuration for more information.
It depends how you have your firewalls cabled up and how you want them to act to whether you need to use just VSI interfaces for device failover or whether you use VSI and redundant interfaces for a full mesh senario.
I hope this explains a bit more.
Regards
Andy