This is our 3rd implementation for a particular project, and the first two haven't had any issues. This is an ASA-5506X HA pair, and it resides wholly within our perimeter firewall - there is no connection directly to the Internet. With this implementation, we're getting 20% packet loss - CPU usage is less than 5%, free memory is 50%, firmware is 9.8.4-33, and it overall seems to be idling. "sho asp drop" gives the following:

Frame drop:
Flow is denied by configured rule (acl-drop) 19310
First TCP packet not SYN (tcp-not-syn) 5351

FP L2 rule drop (l2_acl) 10

There are some misconfigured internal hosts that are generating the majority of the acl-drops. The ACLs are very simple as they contain less than a dozen lines, but they are very restrictive. We're also seeing 20% drop rate for pings to the firewall and through the firewall to the internal hosts, and we have an explicit rule for pings to traverse the firewall for certain hosts. These won't hit on either the acl-drop or tcp-no-syn for asp. 

When the secondary is standby, there is 100% ping success TO the firewall. As soon as we fail over, the success rate for the secondary/now active drops to 80%, and there is still 20% loss through the firewall. I set up an icmp debug using "deb icmp tra" and did a comparison between echos and echo-replies, and the counts were identical. I figured wherever the packets are dropping is before the debug. 

I'm at a loss as to what to look at next. Does anyone have a suggestion?