Hi, I recently was troubleshooting some tunnel issues between Palo Alto firewalls and noticed in debug messages that there were soft lifetime and hard lifetime exchanged in negotiations. Apparently hard lifetime is when the sa expires but soft is before the time is up and gateway build a new one. Now i never saw this in Cisco debug messages or maybe I didn’t notice, do we have this setting in config or is it something the gateway automatically set? How we can make sure this is the same between two peers as if one peer start using new SA while the other one keep using current one until is expired, we will have drops.

thanks