In order to make the top attacker list, your VPN clients are most likely triggering a signature falsely.
First order of business is to verify that indeed this is a false positive. Do this by investigating the signature, what it is trying to detect and verify that the VPN clients are not presenting the attack represented by this signature.
Next you need to decide if this signature is worthy keeping around for the rest of your network traffic. If not, it should be retired. If it does provide some value, then create an Event Action Filter to block the signature from firing on the VPN Client host IP addresses
http://www.cisco.com/en/US/docs/security/ips/7.1/configuration/guide/idm/idm_event_action_rules.html#wp2136561
In order to run an IPS Sensor effectively, you need to review what signatures are firing and tune you sensor accordingly.
- Bob