FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 275657
Description This article describes why Phase 2 rekeying can be visible before the timer is set in Phase 2 settings on FortiGate. 
Scope FortiGate v7.0+.

When an IPSec tunnel is created between FortiGate and Cisco ASA, they have different Phase 2 settings by default.


On FortiGate, the default setting is that the Key lifetime is in seconds, so Phase 2 will rekey after the time specified here.

The Key lifetime in kilobytes (Rekeying after a specific amount of traffic flows through the tunnel) is disabled by default but can be changed if needed.

The image below shows what the default setting looks like:




It is possible to change it by selecting 'Seconds' and choosing Kilobytes or both.


On Cisco ASA, the default setting is set to 4608000 kilobytes/3600 seconds.
So whichever of them is reached first, triggers a rekey from the Cisco Side.

To not have the rekeying triggered by the amount of data flowing through the tunnel,  change the setting on the Cisco Side.

Here is an article with more information on this:

set security-association lifetime kilobytes unlimited


After changing the setting on the Cisco Side, the rekey happens after the time mentioned in the Phase 2 setting.
Also, make sure that the time is the same on both FortiGate and Cisco.