When using things like SSH and SCP at scale across many hosts, it's important to trim available cipher suites. Rolling through all ciphers suites until a match is found can be time costly. At the very least you should trim your client and proxies to use a limited set of valid ciphers. It's also valuable to limit on the server side too in order to avoid keys and certificates using corrupted ciphers.
Below is what I deem to be the best security/performance configurations for an optimal path.
ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
aes192-ctr,aes256-ctr,aes192-cbc,aes256-cbc
hmac-sha2-256,hmac-sha2-512