The host VPN is irrelevant. Whether active or not, Whonix only generates Tor traffic.
Possibilities:
- user mistake, you used ssh from the host
- you (also) connected to the VPN from within the workstation?
- the VPN is hosted on a shared server / shared IP which does not only host a VPN service, but also a Tor service. You can use ExoneraTor to find that out.
- a Whonix bug, which I find very, very unlikely
Btw Whonix documentation recommends to use a fail closed mechanism so there will be no more traffic once the VPN breaks down. ( Connecting to a VPN before Tor )
Doesn’t help because Tor by The Tor Project defaults is generating Tor traffic independently from whether you are using it or not once Tor is started and setting DisableNetwork 1 is not in effect.