I think this might be an expected behavoir.
show crypto isa sa --> phase 1 status
show crypto ipsec sa ---> phase 2 status.
Phase 1 and phase 2 have different timeout value.
Before phase 2 SA is close to expiration, system will negociate a new one since we need it to encrypted and decrypted the traffic.
But we don't do the same on phase 1 SA. We will re-negociate phase 1 SA only when we need re-build phase 2 SA and find no phase 1 SA existing.
You can confirm the above the behavior by checking both phase 1 (show crypt isa sa detail) and phase 2 timer.
Phase 2 use both KB/second as timer, default is about 4G/1 hours.
Phase 1's timer by default is 24 hours.