Turns out there is a very simple fix for this. On the ASA ssh key-exchange group dh-group14-sha1 Or as a quick work around you could add -oKexAlgorithms=+diffie-hellman-group1-sha1 in the client bash>ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 username@xxx.xxx.xxx.xxx