One check you can do is the routing table of the client machine after they connect to VPN. IF you are using split tunneling, the routing table should only have internal networks routes to VPN adapter. Otherwise, the default route should point to the VPN adapter. Since only some users are facing this, see if they are falling into a different group-policy on the ASA.