I had an issue wherein I couldn't SSH to a Cisco ASA firewall and received a key exchange error. I've checked the configured SSH key exchange group and it was configured to use a higher DH group which is the default in newer Cisco ASA version.
[john@server01 ~]$ ssh admin@192.168.202.4
Unable to negotiate with 192.168.202.4 port 22: no matching key exchange method found. Their offer: diffie-hellman-group14-sha256
ciscoasa# show run ssh
ssh stricthostkeycheck
ssh timeout 30
ssh version 2
ssh key-exchange group dh-group14-sha256
ssh 10.10.0.0 255.255.0.0 management
I configured a lower DH group as an interim solution. The management server needs to be upgraded in order to support newer SSH key exchange protocols as a permanent fix.
ciscoasa# configure terminal
ciscoasa(config)# ssh key-exchange group ?
configure mode commands/options:
curve25519-sha256 Diffie-Hellman group-31-sha256
dh-group1-sha1 Diffie-Hellman group 2 (DEPRECATED)
dh-group14-sha1 Diffie-Hellman group-14-sha1
dh-group14-sha256 Diffie-Hellman group-14-sha256
ecdh-sha2-nistp256 Diffie-Hellman group-19-sha256
ciscoasa(config)# ssh key-exchange group dh-group1-sha1
WARNING: DH group 2 is considered insecure. This option is deprecated and will be removed in a later version.
I was able to SSH and save the RSA key afterwards.
[john@server01 ~]$ ssh admin@192.168.202.4
The authenticity of host '172.16.22.4 (172.16.22.4)' can't be established.
RSA key fingerprint is 98:c0:6b:42:88:7f:48:68:ae:a1:b4:04:03:12:34:56.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.202.4' (RSA) to the list of known hosts.admin@192.168.202.4's password:<SSH PASSWORD>
ciscoasa# show version
Cisco Adaptive Security Appliance Software Version 9.16.x
SSP Operating System Version 2.10.x
Device Manager Version 7.18.x
Compiled on Wed 03-Aug-22 05:26 GMT by builders
ciscoasa up 23 hours 51 mins
failover cluster up 23 hours 51 mins
