ACE sticky config

Similar Messages

• ACE sticky cookie value

  Hello,
  I have a following configuration:
  sticky http-cookie STICKY_TMP STICKY_TMP
  cookie insert ...
  Cookies are sent and stickiness works. Everything is ok... Almost :-)
  Now I have a question regarding value of cookies created by ACE.
  Currently cookies have values that look like this "R4224709512"
  Is it possible to change this value so it reflects the target node that processes requests for this sticky session. This cookie could contain i.e. ip address of real server.
  Arrowpoint cookie on CSS1150 worked this way...
  Another question. How do I identify this cookie value with sticky-entries in "show sticky database static" output?
  This command doesn't show anything like R4224709512, but only numbers like 18293255029648678255
  best regards
  Kuba

  I am using ACE with version A3(2.1).
  The “sticky-entry” in "show sticky data static"is a hash of the cookie-value set by ACE for the real server. so you need to use "show sticky database http-cookie " to determine which server are serving the client.
  ACE-1/routed(config-pmap-lb-c)# do show sticky database http-cookie
  sticky group : web-sticky
  type : HTTP-COOKIE
  timeout : 5 timeout-activeconns : FALSE
  sticky-entry rserver-instance time-to-expire flags
  ---------------------+----------------------+--------------+-------+
  16820511103801384579 lnx1:0 0 -
  sticky group : web-sticky
  type : HTTP-COOKIE
  timeout : 5 timeout-activeconns : FALSE
  sticky-entry rserver-instance time-to-expire flags
  ---------------------+----------------------+--------------+-------+
  3347854103021350619 lnx2:0 0 -
  ..sometimes they'd only show up w/ the static instead of the cookies option for some reason.
  found some explanation about this:
  http://docwiki.cisco.com/wiki/Session_Persistence_Using_Cookie_Learning_on_the_Cisco_Application_Control_Engine_Configuration_Example
  There is a difference between inserting an ACE-generated cookie or using one learned by the ACE. The cookie-insert feature creates a static cookie.
  To look at static cookies you need to use the command:
  show sticky database static
  if you try static cookie (cookie inserted by ACE), the value is placed in the static sticky table at the time of configuration...
  so no need to send traffic, once the static sticky config is in place, you should see an entry with 'show sticky database static'.
  Do not try to filter the table with some other parameters...they do not work until A2(1.4)
  There are 2 database:
  One for static entries and one for dynamic entries.
  Every show command that does not include the static keyword will look into the dynamic database.
  So, you won't see anything by using those commands.
  You could perform some test to identify which cookie is sent to which server.
  The cookie value is static, so the number of value is limited to the number of servers.
  There is a dynamic cookie learning feature available in ACE.
  Kinly tell me if you want to discuus about that.
  Kindly rate if possible.
  Kind regards,
  Sachin garg

• ACE sticky problem

  Hi,
  I have an issue with sticky server that I’m hope might just be a command I’m missing.
  I am inserting a cookie and the sticky works fine.
  When my browser has a successful sticky connection i take the server that has the sticky connection out of service. I try to make another connection, i see the connection round robin to all remaining servers but i don’t get a successful connection i do see the connection failure count increment on all other servers in the farm. Only when i bring the server back into service can i get a successful connection.
  Any advice appreciated.
  Sticky config below.
  sticky http-cookie WEB-Cookie-1 WEB-Sticky-1
    cookie insert
    serverfarm WEB-SERVERS-80
  Code
  Version A3(2.0) [build 3.0(0)A3(2.0
  Thanks
  Chris

  Hello Chris, This will be an easy fix for you.  The command you are looking for is defined under the serverfarm inwhich you are creating sticky entries against.. You need to add a failaction.. I'm pasting the command syntax and options for the command.. Based on your breif description failaction purge will give you the desired result:
  (config-sfarm-host) failaction
  To configure the action that the ACE takes if a real server in a server farm goes down, use the failaction command. Use the no form of this command to reset the ACE to its default of taking no action when a server fails.
  failaction {purge | reassign [across-interface]}
  no failaction
  Syntax Description
  purge
  Specifies that the ACE remove the connections to a real server if that  real server in the server farm fails after you configure this command.  The appliance sends a reset (RST) both to the client and to the server  that failed.
  reassign
  Specifies that the ACE reassigns existing server connections to the  backup real server, if a backup real server is configured. If no backup  real server is configured, this keyword has no effect.
  across-interface
  (Optional) Instructs the ACE to reassign all connections from the failed  real server to a backup real server on a different VLAN that is  commonly referred to as a bypass VLAN. By default, this feature is  disabled.

• ACE sticky inconsistant

  i dotn seem to be getting a round robin effect on any of the 8 web servers being load balanced.
  example from sh sticky database group GROUPn
    4427481407323410243   WEB-SRV2:0             0              -
    2452774824762134266   WEB-SRV1:0             0              -
    8113453920705035427   WEB-SRV1:0             0              -
    17215884597540077782  WEB-SRV1:0             0              -
    123286896185049456    WEB-SRV2:0             0              -
    13101217844384152730  WEB-SRV2:0             0              -
    8462688148628735445   WEB-SRV2:0             0              -
    8799530925601492925   WEB-SRV1:0             0              -
    9158066764881164093   WEB-SRV1:0             208            -
    4233929232369710669   WEB-SRV1:0             469            -
    652881741833831225    WEB-SRV1:0             730            -
    11929551358522611685  WEB-SRV2:0             935            -
    2201018326228455336  WEB-SRV2:0             1024           -
    540836670260610939    WEB-SRV2:0             1406           -
    4341078594550796939   WEB-SRV1:0             1567           -
  MY STICKY CONFIG
  sticky http-cookie JSESSIONID GROUP6
    replicate sticky
    serverfarm WEB_FARM1_FARM
  any ideas ?
  Thanks in advance

  Configs - ip etc removed
  rserver host WEB-SRV1
     ip address nnnnn
    probe SRV_PROBE
    inservice
  rserver host WEB-SRV2
    ip address nnnnn
    probe SRV_PROBE
    inservice
  serverfarm host WEB_FARM
      rserver WEB-SRV1
      inservice
    rserver WEB-SRV2
      inservice
  serverfarm host HTTPS_FARM
      rserver WEB-SRV1 443
      inservice
    rserver WEB-SRV2 443
      inservice
  ssl-proxy service NAME_SSL_PROXY
    key name.key
    cert name.crt
    chaingroup NAME_CHAINGP
  sticky http-cookie JSESSIONID GROUP1
    replicate sticky
    serverfarm WEB_FARM
  class-map match-all HTTPS_VIP
    2 match virtual-address nnnn tcp eq https
  class-map match-all WEB_VIP
    2 match virtual-address nnnn tcp eq www
  policy-map type loadbalance first-match HTTPS_LB_POL
    class class-default
      sticky-serverfarm GROUP1
      insert-http X-Forward-For header-value "%is"
      ssl-proxy client NAME_SSL_PROXY
  policy-map type loadbalance first-match WEB_LB_POL
    class class-default
      sticky-serverfarm GROUP1
      insert-http X-Forward-For header-value "%is"
  policy-map multi-match CLIENT_VIPS
    class WEB
      loadbalance vip inservice
      loadbalance policy WEB_LB_POL
      loadbalance vip icmp-reply active
      nat dynamic 1 vlan 151
  policy-map multi-match HTTPS_VIPS
    class HTTPS
      loadbalance vip inservice
      loadbalance policy HTTPS_LB_POL
      loadbalance vip icmp-reply active
      nat dynamic 1 vlan 151
  interface vlan 15
    description WEB DMZ
    ip address nnn 255.255.255.192
    alias nnn  255.255.255.192
    peer ip address nnn  255.255.255.192
    no normalization
    no icmp-guard
    access-group input any
    access-group output any
    nat-pool 1 nnn nnn+1 netmask 255.255.255.192 pat
    service-policy input REMOTE_MGT
    no shutdown
  interface vlan 90
    description CLIENT-FACING VLAN
    ip address nnn 255.255.255.240
    alias nnn 255.255.255.240
    peer ip address nnn 255.255.255.240
    mtu 1500
    no normalization
    no icmp-guard
    access-group input any
    access-group output any
    service-policy input REMOTE_MGT
    service-policy input HTTPS_VIPS
    service-policy input CLIENT_VIPS
    no shutdown
  The topology is active/active the NAT is to route traffic back the way it came in - the servers use have static routes configured  to work with the ACE NAT

• ACE Stickiness Question

  Hi Folks,
  First of all I am new the job and have very little ACE expierence. I work on a large campus. We have to 6513's with an ACE blade in each. A few contexts configured for different applications. Basically the server guys have come to me and asked me to enabled stickiness on one of there contexts.
  Now I am sure this is basic stuff to ye guys but I am just wondering what I need to do? Can I implement this on the fly without causing an outage? I have cut and paste  the relevant context below. And added the changes I think that need to be made. Do you guys think this will work and will it cause any outage?
  I appreciate any help at all guys:
  Here is current config:
  probe tcp APPS-PROBE
  port 8080
  interval 3
  passdetect interval 5
  parameter-map type ssl SSL-APPS-ADVANCED
  cipher RSA_WITH_RC4_128_MD5
  rserver host SERVER1
  ip address 10.10.10.1
  inservice
  rserver host SERVER2
  ip address 10.10.10.2
  inservice
  ssl-proxy service SSL-APPS-PROXY
  key appfiles.pem
  cert appfilesCAcert
  chaingroup APPFILES-CHAINGRP
  ssl advanced-options SSL-APPS-ADVANCED
  serverfarm host APPS-FARM
  predictor leastconns
  probe APPS-PROBE
  rserver SERVER1 8080
  inservice
  rserver SERVER2 8080
  inservice
  class-map match-any APPS-VIP
  2 match virtual-address 10.10.10.4 tcp eq https
  policy-map type management first-match MGT-POLICY
  class class-default
  policy-map type loadbalance first-match APPS-POLICY
  class class-default
  serverfarm APPS-FARM
  policy-map multi-match APPSPOLICY
  class APPS-VIP
  loadbalance vip inservice
  loadbalance policy APPS-POLICY
  loadbalance vip icmp-reply active
  ssl-proxy server SSL-APPS-PROXY
  service-policy input APPSPOLICY
  Will adding the following to the context make stickiness work?
  sticky ip-netmask 255.255.255.255 address source STICKY-APPS-FARM
  timeout 720
  timeout activeconns
  replicate sticky
  serverfarm APPS-FARM
  policy-may type loadbalance first-match APPS-POLICY
  class class-default
  sticky-serverfarm STICKY-APPS-FARM
  I am really lost on this and only getting this from looking at stickiness on other configs. Can you guys advise will this work.

  Also look at the following :
  www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/rtg_brdg/guide/vlansif.html
  Autogenerating a MAC Address for a VLAN Interface
  By default, the ACE does not allow traffic from one context to another  context over a transparent firewall. The ACE assumes that VLANs in  different contexts are in different Layer 2 domains, unless it is a  shared VLAN. The ACE allocates the same MAC address to the VLANs.
  When you are using a firewall service module (FWSM) to bridge traffic  between two contexts on the ACE, you must assign two Layer 3 VLANs to  the same bridge domain. To support this configuration, these VLAN  interfaces require different MAC addresses.
  To enable the autogeneration of a MAC address on a VLAN interface, use the mac address autogenerate command in interface configuration mode. The syntax of this command is as follows:
  mac address autogenerate
  For example, enter:
  host1/Admin(config-if)# mac address autogenerate
  To disable MAC address autogeneration on the VLAN, use the no mac address autogenerate command. For example, enter:
  host1/Admin(config-if)# no mac address autogenerate

• Ace Sticky Configuration

  Hi Guys,
  I'm trying to set up a sticky configuration on an ACE modeule in a 6500.
  I've got the loadbalancing woking happily but need to ammend the config to add stickiness.
  As far as I know the first command is someting on the lines of...
  sticky http-cookie COOKIENAME STICKYGROUP
  however when I put this in I get the following error.
  Error: Sticy resource not available
  I suspect that i'm missing something obvious.
  Any assistance is greatly appreciated.
  Regards
  Steve

  By default all the resources are available to ACE contexts except sticky resource.
  You need a resource class with sticky resource defined and this class applied to the context.
  for example
  resource-class GOLD
  limit-resource sticky minimum 1 maximum equal-to-min
  Thanks
  Syed Iftekhar Ahmed

• ACE 4710: Config Allows all traffic except large HTTP downloads

  Hi Folks,
  Got an ACE 4710 with a basic config that seems to work for all traffic except large downloads.
  I've attached the current config
  As I mentioned I can do normal HTTP to a standard destination like google or SSH through the ACE or ICMP
  If i try to get a large file from the server side of ACE, then a trace shows that the first and subsequent 1460Byte packets dont go through ACE
  I've thought of parse lengths, but i cannot see any that seem to affect the generic L4 maps that I am trying to use
  Cheers
  Alan

  I've seen a similar fault. I suppose a lower MSS was sent in the TCP SYN handshake packets (1300 or 1380?) and the packets exceeding that value were dropped by the ACE. This is the default behavior which can be switched to a less strict mode by either
  exceed-mss allow
  or
  no normalization
  commands.
  In our case, a linux web server was whose replies wouldn't keep to the MSS limit.

• ACE Sticky Connections, Show Conn Output and Show serverfarm

  Hi Community,
  I'm deploying a Cisco ACE module and I have some questions about sticky connections and about the output of the show conn command and show serverfarm command.
  I have the follwoing configuration:
  rserver host srv_1  ip address 10.4.11.14  inservicerserver host srv_2  ip address 10.4.11.18  inserviceserverfarm host farm_144  rserver srv_1 144    weight 1    inservice  rserver srv_2 144    weight 3    inservice
  sticky ip-netmask 255.255.255.255 address source st_host144
    timeout 10080
    serverfarm farm_144
  class-map match-all vip_144
    2 match virtual-address 10.4.11.208 tcp eq 143
  policy-map type loadbalance first-match lb_144
    class class-default
  policy-map multi-match policy_vip_webcache
    class vip_webcache_144
      loadbalance vip inservice
      loadbalance policy lb_144
      loadbalance vip icmp-reply active
      nat dynamic 411 vlan 411
  We can assume that service policy was applied at the interface vlan. So, let's go to the questions:
  1- If sticky is enabled the output command "show conn" should show just one entry by ip address?
  The real output is:
  DC01-ACE-01-PRIMARY-SW1/context_servidores# show conn | inc :143333046     1  in  TCP   411  10.2.158.87:3616      10.4.11.208:143       ESTAB 286390     3  in  TCP   411  10.2.158.87:3562      10.4.11.208:143       ESTAB310233     1  in  TCP   411  10.1.5.87:3424        10.4.11.208:143       ESTAB
  Look that the ip address 10.2.158.87 is shown 2 times. In same times, the same ip address is shown 4 times to the same VIP and the same port. Is it a normal behavior?
  2- According to the configuration, the srv_2 has weight 3 and srv_1 has weigth 1, but the output of show serverfarm show somethin strange:
  DC01-ACE-01-PRIMARY-SW1/context_servidores# show serverfarm farm_144 serverfarm     : farm_144, type: HOST total rservers : 2 state          : ACTIVE DWS state      : DISABLED ---------------------------------                                                ----------connections-----------       real                  weight state        current    total      failures    ---+---------------------+------+------------+----------+----------+---------   rserver: srv_1       10.4.11.14:144        1   OPERATIONAL     11         386        0   rserver: srv_2       10.4.11.18:144        3   OPERATIONAL     35         66         0
  We can see that the weight is working good, but the total of connections is higher at srv_1 than srv_2. Why?
  Somebody can help me to understand better this problem of if its a normal behavior?
  Thanks in advance!!

  Hi Gaurav,
  About question 1, I got some informations too. It's perfectly normal the client open 2 or more connections at the same time. The client's application is the responsable. We removed the ACE and put the client directly to the server and the result of the total connections opened was the same.
  About question 2, I made some "clears" on the serverfarm, the sticky database and after that, the numbers were more real.
  DC01-ACE-02-SECONDARY-SW1/context_servidores# sh serverfarm farm_webcache_144
  serverfarm     : farm_webcache_144, type: HOST
  total rservers : 2
  state          : ACTIVE
  DWS state      : DISABLED
                                                  ----------connections-----------
         real                  weight state        current    total      failures
     ---+---------------------+------+------------+----------+----------+---------
     rserver: srv_webcache_1
         10.4.11.14:144        1   OPERATIONAL     1025       15499      4436
     rserver: srv_webcache_2
         10.4.11.18:144        2   OPERATIONAL     1794       33471      471
  DC01-ACE-02-SECONDARY-SW1/context_servidores#
  Anyway thank you very much for your feedback.
  Plínio Monteiro

• ACE: design/config question: trans.slb + slb + mngt

  Hi,
  Could this ACE setup/design work?
  I want PROXIED sessions (to VIP proxy 10.0.0.10) to be loadbalanced
  All other sessions (eg. Some public ip's) will have to transparent loadbalanced to proxy servers. Thus not destinations NAT
  ACE is inline between firewalls and proxy servers.
  Vip definitions:
  class-map match-all P_PXYVIP_VS_LB
  2 match virtual-address 10.0.0.10 255.255.255.255 tcp 8080
  class-map match-all P_PXYTRANS_VS_LB
  2 match virtual-address 0.0.0.0 0.0.0.0 tcp any
  Question in this case: would it still be possible to have management sessions towards proxy servers routed by the ACE ? (physical ip addresses of proxy)
  Probably the classmap PXYTRANS is catching those sessies also.
  Are there other design/config solutions to solve this one?
  Thank you!
  Wim

  Let me repose the question:
  How could one still be able to access the realserver IP (which is directly connected
  to the ACE) for manangement.
  Knowing that there is 1 VIP which (normal) loadbalance to the realservers
  and
  there is 1 VIP 0.0.0.0 tcp any which is configure to catch all other traffic to be
  transparant loadbalanced.
  The VIP 0.0.0.0 is always catching the sessions which need only to be routed
  to the real servers ip.

• ACE Sticky issue.

  Hi,
  The Sticky function of the ACE is not working. There were no changes been made on the device it was working fine before but not now,.
  We have 2 ACE one is Active(ACE1) and Second one is Standby (ACE2).
  Testing done till now:-
  ================
  Done the Failover from Active(ACE1) to Standby (ACE2).
  When ACE2 was Active the Sticky started working fine without any issues.
  2)  when I did the failover again back from ACE2 to ACE1 the problem arrise Sticky doesnt work any more.
  Any suggestion about this strange behaviour?
  Thanks in advance.
  Regards
  Alex.

  What version do you run ?
  What type of sticky method ?
  Could you get a
  - show np 1 me-stats "-slb"
  and a
  - show np 2 me-stats "-slb"
  Possibly get 2 occurences one before and one after a test.
  Thanks,
  Gilles.

• ACE: sticky serverfarm

  Dear all,
  I do have a question about the configuration option of a sticky serverfarm. There is an option to timeout active conns. Originally my thinking was that this option changes the sticky behaviour to a session timeout instead an idle timeout. While testing this seems to be not correct
  sticky http-cookie myCookie myStickyServerfarm
  timeout 10
  timeout activeconns
  replicate sticky
  serverfarm myServerfarm backup mySorryfarm
  The manual explains it like this:
  Configuring a Cookie Sticky Timeout
  The sticky timeout specifies the period of time that the ACE keeps the HTTP cookie sticky information for a client connection in the sticky table after the latest client connection terminates. The ACE resets the sticky timer for a specific sticky-table entry each time that the module opens a new connection that matches that entry.
  This brings me to the question, what is this option used for. The only diffrence I can see is, that there is a http connection which is open for longer than the timeout value (here 10min) will be kicked out and in the meantime this sticky-entry isn't used (otherwise the idle time would be reset).
  Are there any other explanations what this feature can do?
  best regards
  Oliver

  Hi Oliver,
  I'm afraid the official documentation is not very clear on this section.
  The sticky timeout doesn't count since the moment that the last connection is closed, but since it's established. However, by default it will not remove the sticky entry as long as there are connections still active. This is what can be tuned with the "timeout activeconns".
  When the "timeout activeconns" option is present, the ACE will remove the sticky entry as soon as the timer is reached, regardless of whether there are active connections or not.
  I hope this answers your question, but if you want some further clarification, let me know.
  Regards
  Daniel

• ACE ASN config sample

  All,
  Working on a new project where it appears at this time that the new application supports only an ASN type config.
  I am trying to find out from the vendor whether or not any other method is supported. Currently our production VIPs
  are all configured in ACE L3 mode, so this won't be an easy fit into our "normal" model. We have the ACE modules
  in 6509s.
  Is anyone using ASN and would you be willing to share some scrubbed config samples? It seems to me that if I have
  to do this setup using ASN, my two options at this point would be to assign the server IPs on the outside or client-side
  vlan of the ACE, or burn another context solely for this setup. Neither way is desirable to me, but I am hoping that the
  vendor will not say their app is dependant upon ASN.
  Just curious, and thanks in advance for any help/advice - chris

  Solved

• ACE Sticky Slow-Start License

  Hi,all,
  I am testing ACE module@7606,
  system image file: [LCP] disk0:c6ace-t1k9-mz.A2_1_1_69.bin
  installed license: ACE-SSL-05K-K9.
  I wanta know if it is caused by license,Please help~~:)
  Phenomenon:
  1. Client sends a HTTP request to server
  2. server returns a HTTP response to Client, the response contains a HTTP URL and HTTP body, server sends HTTP URL first, then sends HTTP body right now.
  3. Client receives the HTTP URL first, after about 200ms, Client receives the HTTP body.
  . Root cause:
  1. If ACE receives the HTTP URL from rserver, it forwards the URL to Client. Then ACE will wait for a TCP ACK from client, before ACE receive the TCP ACK from client, it will not forward the HTTP body following to Client, the action is caused by TCP Slow Start algorithm. Windows Client will send the TCP ACK to ACE after about 200ms(40ms for Linux), the action is caused by TCP Delayed ACK algorithm. So from client side, it costs more than 200ms(or 40ms) to receive the entire HTTP response.
  . Solution:
  1. Disable Slow Start algorithm to VIP on ACE
  . Existing Issue:
  1. After disable Slow Start algorithm, the response time will be normal if Client access WAPI by VIP with SSL(means HTTPS). But the issue still exist if Client access server by VIP without SSL(means HTTP).
  2. I associate a policy of stickiness to VIP, both SSL and non-SSL. If I remove the policy of stickiness, the response time will be normal. It seems the policy of stickiness will make Slow Start algorithm enable.

  slowstart is disabled by default on ACE.
  switch/Admin# show parameter-map AllowMss
  Parameter-map : AllowMss
  Type : connection
  nagle : disabled
  slow start : disabled
  buffer-share size : 32768
  inactivity timeout (seconds) : TCP: 3600, UDP: 120, ICMP: 2
  embryonic timeout (seconds) : 5
  ack-delay (milliseconds) : 200
  But the ack-delay is indeed 200msec.
  Try to set the ack-delay to a lower value and see if that improves the situation.
  Gilles.

• ACE Ft config sync question during primary ACE blade replacement

  I am replacing my primary ACE blade and am wondering if when I reconfigure the admin context with the ft groups will I have any issues syncing the secondary back to the primary? I don't want to run the risk of a blank config from the new primary blade being pushed to secondary.
  Any help is appreciated.
  thanks

  Treat the current as primary and put the new module as a secondary (by applying low priority vlaues for ft vlans ) and disable premption.
  Complete steps will be...
  Before putting the new module in, configure the standby (which should be acting as master -- since primary is out) module with the "no-preempt" option on each FT vlan.
  Now with new module
  1. Bring the new ACE module online and upgrade it to the same software than is running on the temp master.
  2. Define all of your resource-maps, FT vlans
  3. Add "no preempt", set a lower "priority" than is defined on the peer (temp master)
  4. Install any SSL certificates
  5. Define your context (repeating the same for SSL certs if necessary).
  6. Add the command "ft auto-sync" to your Admin context.
  7. Once the configuration has synced, (by confirming the FT status is now
  "FSM_FT_STATE_STANDBY_HOT"), you're ready to perform the FT switch over.
  8.In your Admin context, change the peer priority to be lower than the new
  master for each FT group, then issue the command "ft switchover X",
  replacing X with each FT group beginning in the Admin context, then doing the same in your other context.
  Thanks
  Syed

• ACE - Sticky using XFF client value

  Might be a stupid question  ....but we have a situation where client traffic is LB to our proxy infrastructure , at the LB the XFF client address is inserted into the header and source sticky is enabled. We now need to LB to addtional servers( more than within our proxy infrastructure) downstream from our proxy servers and retain the client sessions, if we use source sticky we will have a one to one relationship with the downstream servers . This we don't want as we want to spread the load across all downstream servers. My question is instead of source IP sticky could we use say the XFF info or something else to stick sessions to the downstream servers.

  Hi,
  So your proxy server will need to contact different servers through loadbalancer?
  You can use cookies for the same and make the ACE to insert cookie. I haven't tried using XFF header and value for sticky but ACE let's you configure it so it can be tried too.
  Regards,
  Kanwal
  Note: Please mark answers if they are helpful.