IP SLA Authentication

We can configure security in IP SLA communication by making the IP SLA Source and Responder authenticate before communication.
 Configuration on Source (R1):

Define a key:

R1(config)#key chain 1
R1(config-keychain)#key 1
R1(config-keychain-key)#key-string cisco

Configure and IP SLA :

R1(config)# ip sla 1
R1(config-ip-sla)#udp-jitter 10.10.12.2 5000 source-ip 10.10.12.1
R1(config-ip-sla-jitter)# frequency 15

R1(config)#ip sla schedule 1 life forever start-time now


Bind the SLA with the defined key:

R1(config)#ip sla key-chain 1


Bind an IP SLA with a Track:

R1(config)#track 10 ip sla 1 reachability


Configuration on R2 (Responder)

Define a Key (Key should be the same as configured on Source):

R2(config)#key chain 1
R2(config-keychain)#key 1
R2(config-keychain-key)#key-string cisco

Bind the responder with the configured key:

R2(config)#ip sla responder
R2(config)#ip sla key-chain 1


Commands to test:

When no key or wrong key is configured on Responder R2, you will see authentication failure:

R1#sh track 10
Track 10
  IP SLA 1 reachability
  Reachability is Down  
    1 change, last change 00:01:33
  Latest operation return code: Authentication failure

R1#sh ip sla statistics 1 | i RTT|failures
Round Trip Time (RTT) for       Index 2
        Latest RTT: 0 ms                          >>>>>> RTT value will show 0
RTT Values
        Number Of RTT: 0
        RTT Min/Avg/Max: 0/0/0 ms       >>>>>  This counter will also show no values.
Number of failures: 12                        >>>>>  You will see the number of failures counter increasing.

The moment you configure the correct key on the responder, the Track/IP SLA will come up.

R1#sh track 10
Track 10
  IP SLA 1 reachability
  Reachability is Up
    2 changes, last change 00:00:02
  Latest operation return code: OK
  Latest RTT (millisecs) 20

R1#sh ip sla statistics 1 | i RTT|failures
Round Trip Time (RTT) for       Index 2
        Latest RTT: 20 ms
RTT Values
        Number Of RTT: 10
        RTT Min/Avg/Max: 3/20/38 ms
Number of failures: 15 


IMP Note: Authentication can only be used for operations like UDP echo and UDP jitter where a Responder is required.  For ICMP echo, the target device's IP stack will respond to the echo request.
ICMP echo operation does not require a Responder.

So in case, you configure an IP SLA with "icmp-echo" option on a Source Node, and even if you configure different authentication parameters on both Source and Responder, you will find the status of IP SLA/Track as UP on the source node. 

You can test that by configuring a no key-chain or a key-chain with a different key-string on the responder. Your IP SLA/Track will show up on the source node.