Older devices may not support modern ciphers / key exchanges.

While technically they’re insecure it may not be possible to retire the device in question, so here is a work around to allow the weaker Diffie-Hellman group.

ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 user@device