|Description||This article describes why Phase 2 rekeying can be visible before the timer is set in Phase 2 settings on FortiGate.|
When an IPSec tunnel is created between FortiGate and Cisco ASA, they have different Phase 2 settings by default.
On FortiGate, the default setting is that the Key lifetime is in seconds, so Phase 2 will rekey after the time specified here.
The Key lifetime in kilobytes (Rekeying after a specific amount of traffic flows through the tunnel) is disabled by default but can be changed if needed.
It is possible to change it by selecting 'Seconds' and choosing Kilobytes or both.
On Cisco ASA, the default setting is set to 4608000 kilobytes/3600 seconds.
After changing the setting on the Cisco Side, the rekey happens after the time mentioned in the Phase 2 setting.