CDRouter Support

CDRouter 11.5 Release Notes

knowledge-base version 11.8

Release History

Release Type Release Number Release Date
Original CDRouter 11.5 Build 2 July 18, 2019
Maintenance Release 1 CDRouter 11.5 Build 3 August 14, 2019

Note: CDRouter 11.5 includes many new features and configuration testvars. Old config files can be automatically upgraded to include all new CDRouter 11.5 testvars using the config upgrade utility.

Attention: Operating System Deprecation Notice

Support for the Ubuntu operating system and CentOS 6 has been deprecated. CDRouter systems running on Ubuntu or CentOS 6 will now see warning messages during installation and in the ‘start’ log of a test run.

Support for both of these operating systems will be officially removed with the next major version of CDRouter (12.0). Please contact for additional information and assistance in migrating to a supported operating system.

All CDRouter systems will require the CentOS 7 operating system in order to install CDRouter 12.0 and beyond.

CDRouter 11.5 Build 2 July 18, 2019

New Features and Enhancements


  • Support for WPA3

    CDRouter now supports WPA3-Personal and WPA3-Enterprise in client mode on the LAN and access point (AP) mode in the WAN.

    WPA3 requires many advanced new wireless features which are also now supported, including Protected Management Frames (PMF), 256 bit ciphers (GCMP and CCMP), and new key management suites such as Simultaneous Authentication of Equals (SAE) and Suite-B.

    Additional information about all new wireless enhancements included in this release are provided below.

  • New WPA configuration presets for WiFi Alliance security modes

    CDRouter now supports a simplified configuration model for six common wireless security modes defined by the WiFi Alliance: WPA-Personal, WPA-Enterprise, WPA2-Personal, WPA2-Enterprise, WPA3-Personal, and WPA3-Enterprise. These six modes are now options that can be configured directly in client mode on the LAN using the testvar wpaMode.

    These modes represent configuration presets that force all other WPA related testvars to specific, fixed values which speeds up and simplifies the configuration process. For more information on these modes and advanced WPA configuration please see this Knowledge Base article.

    These modes are also available as options for configuring CDRouter’s AP on the WAN using the testvar wanApWpaMode.

    Note that when any of these modes are used the advanced WPA configuration options highlighted below are configured automatically and do not need to be specified.

    Note that WPA3-Enterprise modes require the 802.11ac Wave 2 wireless adapter included in the NTA1000v6 platform. As a result, WPA3-Enterprise is not supported on older NTA1000 systems.

  • Support for WPA Protected Management Frames (PMF)

    CDRouter now supports Protected Management Frames (PMF) for RSN and WPA3. PMF support is required for all WPA3 security modes and optional for all RSN security modes. The new testvars wpaPMF and wanApWpaPMF can be used to enable or disable PMF support in client mode on the LAN and AP mode on the WAN, respectively.

    By default these testvars are set to a value of auto, which will enable PMF for WPA3 modes and disable PMF for all other modes.

  • Support for GCMP pairwise and group ciphers

    CDRouter now supports Galois Counter Mode Protocol (GCMP) cipher suites in addition to Counter Mode CBC-MAC Protocol (CCMP) and TKIP. For client mode on the LAN the testvars wpaCipher and wpaGroupCipher have been updated with two new GCMP specific options: GCMP-128 and GCMP-256.

    In AP mode on the WAN, the testvars wanApWpaCipher and wanApWpaGroupCipher also support these new options.

  • Support for 256 bit CCMP pairwise and group ciphers

    CDRouter now supports 256 bit CCMP cipher suites in addition to 128 bit CCMP, TKIP, and GCMP (128 and 256 bit). The testvars wpaCipher and wpaGroupCipher have been updated with with a new 256 bit CCMP option: CCMP-256.

    In AP mode on the WAN, the testvars wanApWpaCipher and wanApWpaGroupCipher also support this new option.

  • Support for the SAE key management suite

    WPA3-Personal requires use of the Simultaneous Authentication of Equals (SAE) key management suite, which is now supported by CDRouter and can be enabled in client mode on the LAN by setting the new testvar wpaKeyMgmt to a value of SAE. When SAE is enabled the SAE secret must also be configured using the new testvar wpaSaePassword.

    In AP mode on the WAN, SAE can be enabled by setting the testvar wanApWpaKeyMgmt to SAE and setting the SAE secret using the new testvar wanApWpaSaePassword.

  • Support for Suite-B key management suites

    WPA3-Enterprise requires use of IEEE 802.1X using Suite B compliant EAP, which is now supported by CDRouter and can be enabled in client mode on the LAN by setting the new testvar wpaKeyMgmt to a value of either SUITE-B (which uses SHA-256 key derivation) or SUITE-B-192 (which uses SHA-384 key derivation).

    In AP mode on the WAN, the testvar wanApWpaKeyMgmt also supports these new options.

  • Support for advanced WPA key management suites

    CDRouter now supports advanced 802.1X and PSK key management suites for WPA and WPA2 that utilize SHA-256 for key derivation. The new testvar wpaKeyMgmt includes the options 802.1X-256 and PSK-256 for enabling these key management suites in client mode on the LAN.

    In AP mode on the WAN, the testvar wanApWpaKeyMgmt also supports these new options.

    Note that legacy key management suites utilizing SHA-128 for key derivation can be configured using the 802.1X and PSK options on the LAN side and the WAN side.

CDRouter TR-069

  • Support for TLS version 1.3

    CDRouter’s ACS can now be configured for TLS 1.3.

CDRouter Performance

  • Support for multiple LAN client performance testing

    CDRouter now supports performance testing with multiple LAN clients using the new perf-multi and perf-multi-v6 test modules that are included with the CDRouter Performance add-on.

    These tests measure the aggregate download and upload throughput of multiple LAN clients over IPv4 and IPv6 using TCP and UDP traffic. In addition to verifying the aggregate bandwidth, CDRouter can also optionally verify that each individual LAN client achieved a minimum fairness throughput using the new testvar perfFairness.

    Up to 32 Ethernet and/or wireless LAN clients can be used during these tests. In addition up to 30 streams per LAN client for a maximum of 960 UDP or TCP connections per test can be configured.

    Note that this functionality requires the CDRouter Performance and Multiport add-ons.

  • Support for performance testing up 5.0 Gbps

    The CDRouter Performance add-on now supports maximum single client performance speeds of up to 2.5 Gbps and multi-client speeds of up to 5.0 Gbps on the new NTA1000v6-10G platform.

    This feature makes it possible to fully saturate and test cutting edge access points and routers that include 2.5GBASE-T and 5GBASE-T Ethernet interfaces and wireless interfaces capable of greater than 1 Mbps throughput.


  • New NTA1000v6-10G platform with 2.5/5/10 Gbps Ethernet interfaces

    The new NTA1000v6-10G platform includes an integrated dual port 10GBASE-T Ethernet network interface that supports Ethernet speeds of 2.5/5/10 Gbps over standard Category 5e and 6 cabling.

    With this addition there are now two NTA1000 platforms to choose from - the NTA1000v6 which includes eight Gigabit Ethernet NICs, three wifi NICs, and support for up to 128 wireless clients, and the NTA1000v6-10G which includes eight Gigabit Ethernet NICs, two 10 Gigabit Ethernet NICs, two wifi NICs, and support for 64 wireless clients.

  • Support for 2.5/5/10GBASE-T Ethernet interfaces

    With the addition of the new NTA1000v6-10G platform, CDRouter 11.5 now supports 2.5/5/10GBASE-T Ethernet network interfaces for functional and performance testing. Performance testing is limited to 2.5 Gbps (single client) and 5.0 Gbps (multi-client).

Testvar updates

Testvars added to this release:

  • WPA3 LAN side wireless client testvars
    • wpaKeyMgmt - Specifies which RSN/WPA authentication key management suite to use with the DUT.
    • wpaPMF - Specifies if WPA protected management frames should be used with the DUT.
    • wpaSaePassword - Specifies the WPA SAE password to be used with the DUT.
  • WPA3 WAN side wireless AP testvars
    • wanApWpaPMF - Specifies if WPA protected management frames should be used by the WAN Access Point authenticator.
    • wanApWpaSaePassword - Set the 802.11 WPA SAE password used by the WAN Access Point authenticator.
  • New multiple LAN client performance testvar
    • perfFairness - Forces all LAN clients to share the available bandwidth when enabled during multi-LAN performance tests.

Testvars modified or removed in this release:

  • Wireless LAN configuration
    • lanSecurity - The values WPA-PSK and WPA-802.1X have been deprecated and will be removed in a future release. Existing config should be updated to use the value WPA and the new settings available in the wpaMode testvar instead.
    • wpaMode - The following additional values are now available: auto, RSN, WPA-Enterprise, WPA-Personal, WPA2-Enterprise, WPA2-Personal, WPA3-Enterprise, WPA3-Personal. The WPA2 setting has been deprecated and will be removed in a future release.
    • See the wireless LAN Configuration Knowledge Base article for more details on using these new settings.
  • TR-069 TLS configuration
    • acsSslVersion - The values tls and tlsv1_3 have been added to this testvar. The value sslv23 has been removed and will cause a config error if it is used.
      See the Notes section below for more details.

Test Modules and Test Cases

CDRouter TR-069

  • New IR-181 test case

    TEST: ir181_test_5.3.5
    MODULE: ir181
    DESCRIPTION: IR-181 Test 5.3.5: Device Connect/Disconnect Notification

CDRouter Performance

  • New multiple LAN client performance module for IPv4

    MODULE: perf-multi
    DESCRIPTION: IPv4 multiple LAN clients performance tests
  • New multiple LAN client performance module for IPv6

    MODULE: perf-multi-v6
    DESCRIPTION: IPv6 multiple LAN clients performance tests



  • A number of WPA specific testvars have had options deprecated in this release. To maintain backwards compatibility with older configurations, CDRouter will automatically map any deprecated WPA related testvar values to new, supported values according to the following table:

    Testvar Deprecated Values New Value
    lanSecurity WPA-802.1X, WPA-PSK WPA
    wpaMode WPA2 RSN
    wpaCipher AES-CCMP CCMP-128
    wpaGroupCipher AES-CCMP CCMP-128
  • The testvars used to define the expected contents of the DUT’s wifi beacons for the wifi_20 test case have been updated to support WPA3. Some testvar options have been deprecated while other new options have been added.

    Testvar Deprecated Values New Values
    wifiBeaconWpaMode WPA2 RSN
    wifiBeaconWpaKeyMgMt 802.1X-256, PSK-256, SAE, SUITE-B, SUITE-B-192
    wifiBeaconWpaCipher AES-CCMP CCMP-128, CCMP-256, GCMP-128, GCMP-256
    wifiBeaconWpaGroupCipher AES-CCMP CCMP-128, CCMP-256, GCMP-128, GCMP-256
  • The static test module has been updated to support host routes. [LH #4212]

  • The wifi_40 test case has been updated. This test now disassociates all additional LAN clients at the start of the test and performs a new scan for the configured SSID rather than relying on cached and potentially out of date scan data. All clients are re-associated at the end of the test. [LH #4175]

  • Resolved an issue with multi-service gateway configurations on CentOS 7 systems. This issue prevented secondary WAN interfaces on separate VLANs from receiving and responding to traffic from the DUT. This issue was introduced in CDRouter 11.4.1 and impacts only the 11.4.1 and 11.4.2 releases. [LH #4226]

  • Resolved an issue with the elapsed time reported for a running test within CDRouter’s web UI. In CDRouter 11.4.1 and 11.4.2, refreshing the results page within the browser would reset the elapsed time to 00:00 or the elapsed time of the test when the page was first loaded. [LH #4225]

CDRouter Multiport

  • Resolved a fatal error in the static_10 and static_20 test cases when run in a multi-service gateway type configuration with multiple WAN interfaces. [LH #4227]

  • Updated static_20 and static_v6_20 to support dynamic static routes defined on secondary WAN interfaces. [LH #4213]

CDRouter IPv6

  • The static-v6 test module has been updated to support host routes. [LH #4212]

  • The ula_12 test case is not compatible with 6to4 or 6rd WAN modes and is now automatically skipped when 6to4 or 6rd are configured. [LH #4233]

CDRouter TR-069

  • CDRouter’s ACS no longer supports SSL v2. This change was required to add support for TLS v1.3. The acsSslVersion testvar can now be configured with the value tlsv1_3 or the new defaut mode of tls, which will negotiate down from TLS v1.3 to v1.2 to v1.1 and finally to v1.0. The previous default value, sslv23, has been removed and will cause a config error if it is used. Existing config files that explicitly use this value must be updated to use tls or another valid setting. [LH #3725]

  • The list of ciphers supported by CDRouter’s ACS has been updated. In order to add support for TLS v1.3, a number of new ciphers were added while older ciphers were dropped. Please see the documentation for the testvar acsCipherSuite for the complete list of ciphers supported in this release. For details on which older ciphers have been dropped, please contact

  • The tr69_400 and ir181_test_5.2.6 test cases have been updated to support both IP addresses and FQDNs for the Host parameter entries in the RouteHops table returned by the DUT. Previously only IP addresses were supported. [LH #4218]

  • Resolved an issue in the ir181_test_5.5.1 test case where the DeleteObject RPC called at the end of the test was not properly specifying a full object path. [LH #4232]

  • Resolved a fatal error in ir181_test_5.6.13 if run individually. [LH #4229]

  • Tests od128_test_35.1 through od128_test_35.6 have been updated so that the URL argument of the ChangeDUState RPC contains the file name indicated by the tr69DUInstallImage file instead of "DeploymentUnitImage.bin". This change was made to ensure that the format of the file name in the URL remains consistent with any naming requirements imposed by the DUT implementation.

    Note that the URL argument will always contain the same file name in each test, but the ACS will still dynamically map the URL to either the tr69DUInstallImage or tr69DUInstallImageAlternate image file. This verifies that the DUT follows through with the requested Install or Update operation, even if the URL is the same as one that was used in a previous operation. [LH #4230]

  • A new test, ir181_test_5.3.5 has been added to the ir181 module. This test did not exist in early drafts of the IR-181 specification which is why it was not included in previous releases. [LH #4210]

  • Tests tr69_31 through tr69_38 have been updated to be more compatible with private TLS/SSL certificates. When the acsDownloadCertPath testvar is set, CDRouter will automatically determine the fully-qualified domain name of the alternate ACS server from the CN field of the specified certificate. The primary ACS will use that domain name instead of the default ( in the HTTP redirect it sends to the DUT. If the CN field of the certificate file is set to a wildcard domain (eg.: *, CDRouter will use the hostname “acs-download” with the target domain (“”). [LH #4214]

  • Test tr69_wireless_50 was updated to resolve an error that occurred when the LAN client failed to reassociate with the DUT. [LH #4240]

  • Updated the od128_test_19.1 test case to select a channel from the list channels supported by the DUT rather than using channel 11, which may or may not be supported by the DUT. [LH #4198]

CDRouter Performance

  • The maximum value of perfStreams testvar has been reduced from 500 to 128. This change was made to improve the overall consistency and repeatability of performance test results. [LH #4148]

  • The maximum number of streams will be automatically capped to 32 when running the multi-perf and multi-perf-v6 test modules if the perfStreams testvar is set to a value greater than 32. [LH #4148]

  • Relaxed skip logic to allow the perf-lan and perf-lan-v6 tests to run in bridge mode configurations. [LH #4178]

  • The test descriptions of perf_10 and ipv6_perf_10 mistakenly referred to testvar “perfDHCPRestartLatency”, which does not exist. The correct testvar perfDHCPRestartMaxLatency. The test descriptions have been updated. [LH #4244]

  • Performance graphs now support values greater than 1 Gbps. In addition, a all performance graphs now default to auto for the graph scale.

  • All latency tests now verify and graph the upload and download latencies independently. Previously only the sum of the upload and download latencies was verified and graphed. [LH #3330]

CDRouter USP

  • Resolved a fatal error when generating STOMP error messages. [LH #4219]

  • Resolved issue with test case usp_30 that sometimes resulted in a fatal error when trying to download new firmware. Also adjusted test to be more event driven instead of time based. [LH #4189]

CDRouter 11.5 Build 3 August 15, 2019

New Features and Enhancements


  • WAN side 802.1X authenticator now supports EAP-PEAP

    CDRouter’s WAN authenticator now supports EAP-PEAP v0 and v1 with MS-CHAPv2 using anonymous outer identities. PEAP can be enabled by setting the testvar wanEapType to the new value eap-peap. CDRouter’s WAN authenticator is used to authenticate wired and wireless clients when 802.1X authentication is enabled on the WAN. [LH #4209]

  • New test case for verifying the DUT’s ping behavior on the WAN

    A new test case, cdrouter_icmp_7 has been added to the icmp module. This test case verifies the expected behavior of the DUT when it receives ICMP pings on the WAN. If the testvar wanPingRespond is set to yes, this test will verify that the DUT responds to pings on the WAN. If set to no, this test verifies that the DUT does not respond to pings on the WAN. [LH #4261]

CDRouter BBF.069

  • BBF.069 updated

    CDRouter is now shipping with Release 9.1 of the BBF.069 scripts from the UNH-IOL. For a complete list of modifications included with this release, please see the notes section below.

Testvar updates

Testvars added to this release:

  • None

Testvars modified or removed in this release:

  • None

Test Modules and Test Cases


  • New ICMP test case

    TEST: cdrouter_icmp_7
    MODULE: icmp
    DESCRIPTION: Verify ICMP Echo Requests to router's WAN side IP address from the WAN



  • Some refactoring of CDRouter’s client and server EAP/EAPOL functionality has been performed as part of the work associated with adding EAP-PEAP support to the WAN side 802.1X authenticator. [LH #4209]

  • The default value of the wanPingRespond has been changed from yes to no for consistency with the default configuration of most DUTs. [LH #4261]

  • Set the maximum value of the natMaxTcpConns to 4000. This is the largest value supported on current NTA1000 systems. [LH #4256]

CDRouter IPv6

  • Resolved an issue associated with the dhcpv6ClientOptionRequest testvar. In previous releases CDRouter’s DHCPv6 clients were not honoring this testvar. [LH #4250]

  • The ula_12 test case has been updated and can now be run in 6to4 and 6rd WAN configurations. [LH #4234]

CDRouter Performance

  • CDRouter will now generate a failure if any of the interfaces used for a performance test do not have IPv4 and/or IPv6 addresses at the start of the test. [LH #4176]

CDRouter TR-069

  • The wireless configuration verification tests in the tr69_wireless and ir181 test modules have been updated. These tests now validate that the DUT includes the client MAC in the AssociatedDevice table after the basic traffic verification step has been performed. This resolves an issue with some implementations where the AssociatedDevice table was verified before it had been fully updated by the DUT. [LH #4246]

  • Resolved a regression in the tr69_wireless_40, tr69_wireless_41, tr69_wireless_42, ir181_test_5.6.9, ir181_test_5.6.11, and ir181_test_5.6.13 test cases which prevented CDRouter from properly associating with the DUT after changing the wireless configuration. This regression was introduced in release 11.5.2 as part of the WPA3 work. [LH #4262]

  • Updated the od128_test_19.1 test case to prevent configuration of a wireless channel that is not supported by the DUT. [LH #4247]

  • The cdrouter_heartbleed_300 test case has been updated to use an alternate ACS server to verify the Heartbleed exploit against the DUT. The DUT’s Device.ManagementServer.URL parameter will temporarily be changed to direct the DUT to the alternate ACS. The location of SSL certificates for the alternate ACS are configurable using the acsDownloadCertPath and acsDownloadCaCertPath testvars. [LH #4259]

  • Re-factored the code associated with the tr69ForceBoolean testvar. [LH #4223]

CDRouter BBF.069

  • The bbf069UploadType testvar was updated to support the “3 Vendor Configuration File <i>” and “4 Vendor Log File <i>” FileType values. [LH #156]

  • The 5_103_periodic_inform_time_past and 5_104_periodic_inform_time_future tests were updated to improve validation of the DUT’s reported CurrentTime parameter and any parsing errors in the test log. [LH #179]

  • The 5_081_download_queuing test was updated with additional logging to aid in troubleshooting failures. [LH #171]

  • Resolved an issue in the 5_036_redirect_cookies test sometimes caused the ACS to quote the DUT’s cookie value, resulting in a mismatch and eventual test failure. [LH #159]

  • Updated 5_098_inform_ip_address_change test to make it compatible with changes to CDRouter’s DHCP server in CDRouter 11.0. Those changes were causing a fatal error in this test. [LH #170]

  • Resolved an issue in the 5_032_redirect_multiple_redirections test to ensure the alternate ACS uses the correct transport and port when redirecting the DUT back to the primary ACS. [LH #182]

  • Updated the 5_019_conn_request and 5_020_conn_request_session_exists tests to support XMPP connection requests. Before this, only HTTP connection requests were supported. [LH #185]

  • The 5_023_conn_TLS and 5_024_conn_TLS_1_2 tests were updated to ensure the DUT does not have any pending Inform messages at the start of the test. Prior to this change, an unexpected connection from the DUT could cause the ACS to accept the CWMP session without requiring TLS 1.0, resulting in a false positive test result. [LH #186]

  • CDRouter will now automatically skip the DHCPv4.tcl test module if IPv4 is not enabled in the config file. Likewise, the DHCPv6.tcl test module if IPv6 is not enabled. [LH #181]

  • The 5_097_DUT_properly_encodes_and_decodes_XML_entities_test test was updated to ensure that the DUT is always returned to its original state at the end of the test. In some situations, the test would exit early without resetting the Device.ManagementServer.Username and Device.ManagementServer.Password parameters to their original values. [LH #161]

  • Resolved a packet processing bug that was causing “ERROR(pktsrc)” errors to be reported in the 5_019_conn_request and 5_020_conn_request_session_exists tests. [LH #172]

  • Fixed a timing problem that caused the 5_089_factoryReset test to miss the TCP FIN sent by the DUT, resulting in a false negative test result. [LH #164]

  • Updated the 5_020_conn_request_session_exists test to address a fatal error caused when the DUT unexpectedly terminates the initial CWMP session. [LH #175]

  • Test cases 5_021_conn_after_interval, 5_067_SPA_Active_notif_persist, 5_074_addObject, 5_060_GPA_complete_path and 5_061_GPA_multiple_complete_path were updated to address an error that can occur if the GetParameterAttributes request fails unexpectedly. [LH #165]

  • Resolved an issue in the 5_021_conn_after_interval test that could cause a fatal error when resetting the PeriodicInformInterval parameter. [LH #169]

  • Fixed a bug in the 5_042_SPV_SOAP_Fault test that resulted in a fatal error in some situations. [LH #162]

  • A number of additional tests that require user intervention will now be skipped if the test package is not run with “pause mode” enabled. The full list of manual tests is shown below [LH #163]:

    • 5_001_DHCPv4_ACS_discovery
    • 5_002_DHCPv6_ACS_discovery
    • 5_003_DHCPv4_ACS_rediscovery
    • 5_004_DHCPv6_ACS_rediscovery
    • 5_005_DHCPv4_Inform_retry
    • 5_006_DHCPv6_Inform_retry
    • 5_011_Same_mechanism_after_factoryReset
    • 5_012_DHCPv4_null_term_URL
    • 5_013_DHCPv6_null_term_URL
    • 5_016_ACS_URL_mod_3rd_party
    • 5_018_event_discard_after_bootstrap
    • 5_066_SPA_Active_notif
    • 5_069_SPA_complete_path_passive_notif
    • 5_070_SPA_partial_path_passive_notif
    • 5_071_SPA_complete_partial_path_passive_noti
    • 5_072_SPA_disable_notif
    • 5_079_Manual_Reboot
    • 5_089_factoryReset
    • 5_098_inform_ip_address_change
    • 5_099_no_inform_ip_address_change
    • 5_100_enable_cwmp_to_false
    • 5_105_default_active_notification_throttle
  • Patched the 5_068_SPA_atomic test case to ensure that the value set in subsequent SetParameterAttribute RPCs is different than the initial value at the start of the test. [LH #4270]



About CDRouter

CDRouter is made by QA Cafe, a technology company based in Portsmouth, NH.

Get in touch via our Contact page or by following us on your favorite service: