XSRF Security Token Missing or session expiring in Jira

Hello, we have jira  9.11.2 deployed via custom helm chart in dc mode. Sometimes our clinets catch the XSRF issue. 

We have read https://confluence.atlassian.com/jirakb/xsrf-security-token-missing-or-session-expiring-in-jira-1032258314.html and tried to:

• disable bot
• increase session timeout
• and etc

We have turned on sticky session to ingress and service.

...

Annotations:
cert-manager.io/cluster-issuer: letsencrypt-certs
external-dns.alpha.kubernetes.io/cloudflare-proxied: false
kubernetes.io/ingress.class: public
nginx.ingress.kubernetes.io/affinity: cookie
nginx.ingress.kubernetes.io/affinity-mode: persistent
...
nginx.ingress.kubernetes.io/proxy-body-size: 500m
nginx.ingress.kubernetes.io/proxy-connect-timeout: 300
nginx.ingress.kubernetes.io/proxy-read-timeout: 1800
nginx.ingress.kubernetes.io/proxy-send-timeout: 300
nginx.ingress.kubernetes.io/ssl-redirect: true

...
Type: ClusterIP
IP Family Policy: SingleStack
IP Families: IPv4
IP: 10.61.72.5
IPs: 10.61.72.5
Port: http 80/TCP
TargetPort: http/TCP
Endpoints: 10.61.5.6:8080,10.61.8.6:8080
Port: listener-port 40001/TCP
TargetPort: listener-port/TCP
Endpoints: 10.61.5.6:40001,10.61.8.6:40001
Port: object-port 40002/TCP
TargetPort: object-port/TCP
Endpoints: 10.61.5.6:40002,10.61.8.6:40002
Port: multicast-port 40003/TCP
TargetPort: multicast-port/TCP
Endpoints: 10.61.5.6:40003,10.61.8.6:40003
Session Affinity: ClientIP
Events: <none>

Despite that fact some users are redirected to anoter instance and get the XSRF issue.

What to do? What should I pay attention to?