OK, well if that was happening to me I would do this:
1/ Create an access list on the Controller's LAN switch that filters to just the Controller's IP addresses and logs every hit.
2/ After a week of this, I would examine those logs and create an access list on the switch that locked communications right down to what it uses.
It would look something like this:
Controller-->Phone Subnet : UDP 68(only if you use the controller for DHCP)
UDP 50000-50511,
(Maybe UDP 0-65535)
Phone Subnet-->Controller : UDP 67(only if you use the controller for DHCP)
UDP 69
UDP 20001
UDP 50000-50511
(Maybe UDP 0-65535)
TCP 80,443,3998,3999,6800,6801,6802