Is this only when you're users are attempting to log in for the first time? Our provisioning workflow requires our provisioners to be on our LAN or connected to WiFi AnyConnect during provisioning. Provisioning occurs as a local admin and then the provisioner logs out of the local admin and has the user log in as themselves. In almost all cases, this is done on the LAN but we have one office that has to use the WiFi VPN option. What we discovered is that this workflow would not work without an additional step. After provisioning was complete but before logging out of the local admin, Terminal was opened and "su username" was entered, prompting the user for their AD password and performing an initial transfer of the user and credentials between the Mac and AD while still on VPN. This extra step would then allow the user to login at the login screen even though AnyConnect was no longer connected. If that Terminal command wasn't entered, then the symptoms were similar to what you initially described. Afterward, all subsequent logins worked fine regardless of VPN connection because of being a mobile user. But like I said, this would only be relevant to you if your issues are on the initial login only.
