there's no acl applied, anyone in my WAN (PC/Router) can access my router via telnet but cant access via ssh. i asked my ISP provider, they said there's no blocking on port 22

This is from WAN side, how about from inside ? is the same case ?

we need to Look full config here please post " show run " from device having issue, and tell us what is your source IP address you are intiating SSH connection ?  ( enable debug and check by intiating connecting and post the logs along with show run)

It is helpful to see the output of show ip ssh indicating that SSH is enabled (and limited to version 2, not version 1). Is it possible that your ssh client is attempting version 1?

It is interesting to see the partial configuration (and hope it is current and accurate). The vty ports are not using access class so that is not impacting ssh remote access. Both telnet and ssh are enabled so that is good.

It might be helpful to run debug for ssh (after changing the logging level for logging buffered to debug) and post any output when attempting ssh connection.

I am wondering if there might be some type of thing like control plane policing. To determine that we would need to see the complete configuration (masking any sensitive information like Public IP and passwords).

srry for not to mention it first that my router cant accessed via ssh from WAN, but it's works from LAN, i posted the sh run above

its works from LAN but not works from WAN, here's my sh run,

PC -> router -> WAN -> *router -> lan -> PC

*the router that i can't access via ssh

sh run
Building configuration...

Current configuration : 6313 bytes
!
! Last configuration change at 04:05:55 UTC Tue Aug 10 2021 by sistel
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname TLKM-CF-CM
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
!
no aaa new-model
!
ip cef
!
!
!
!         


!
!
!
!
ip flow-cache timeout inactive 600
ip domain name yourdomain.com
no ipv6 cef
multilink bundle-name authenticated
!
!
!
crypto pki trustpoint TP-self-signed-1708665784
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1708665784
 revocation-check none
 rsakeypair TP-self-signed-1708665784
!
!
crypto pki certificate chain TP-self-signed-1708665784
license udi pid CISCO2901/K9 sn *******
license boot module c2900 technology-package datak9
!
!
username sistel privilege 15 password 7 *******
username telkom privilege 15 password 7 *******
username support privilege 7 password 7 *******
username tri privilege 15 secret 4 *******
!
redundancy
!
!
ip ssh version 2
!
track 1 ip route 10.10.10.0 255.255.248.0 reachability
 delay down 120 up 120
!
track 2 ip sla 1
 delay down 120 up 120
!
track 3 ip sla 2
 delay down 120 up 120
!
class-map match-any Management
 match protocol dhcp
 match protocol dns
 match protocol kerberos
 match protocol ldap
 match protocol snmp
 match protocol socks
 match protocol syslog
class-map match-any Transactional
 match protocol finger
 match protocol notes
 match protocol secure-telnet
 match protocol sqlserver
 match protocol telnet
 match protocol icmp
 match protocol xwindows
 match protocol ssh
class-map match-any Voice
class-map match-any Routing
 match protocol bgp
 match protocol eigrp
 match protocol ospf
 match protocol rip
 match protocol rsvp
class-map match-any Signaling
!
policy-map QoS-Policy-1
 class Voice
  set dscp ef
  priority percent 30
 class Signaling
  set dscp cs3
  bandwidth percent 5 
 class Routing
  set dscp cs6
  bandwidth percent 5 
 class Management
  set dscp cs2
  bandwidth percent 5 
 class Transactional
  set dscp af21
  bandwidth percent 5 
 class class-default
  fair-queue
  random-detect
policy-map QoS-Policy-2
 class class-default
  shape average 256000
   service-policy QoS-Policy-1
!
csdb tcp synwait-time 30
csdb tcp idle-time 3600
csdb tcp finwait-time 5
csdb tcp reassembly max-memory 1024
csdb tcp reassembly max-queue-length 16
csdb udp idle-time 30
csdb icmp idle-time 10
csdb session max-session 65535
!
!
!
!
interface Loopback0
 ip address 192.******* 255.255.255.255
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 description WAN to PE
 bandwidth 1024
 ip address 172.******* 255.255.255.252
 ip nbar protocol-discovery
 ip flow ingress
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 description LAN DATA
 ip address 10.******* 255.255.240.0
 ip policy route-map telkom
 standby 2 ip 10.*******
 standby 2 priority 200
 standby 2 preempt
 standby 2 track 1 decrement 200
 duplex auto
 speed auto
!
interface GigabitEthernet0/0/0
 description LAN VOICE
 no ip address
!
interface GigabitEthernet0/0/1
 no ip address
 shutdown
!
interface GigabitEthernet0/0/2
 no ip address
 shutdown
!
interface GigabitEthernet0/0/3
 no ip address
 shutdown
!
interface Vlan1
 description VLAN VOICE
 ip address 172.******* 255.255.255.224
!
!
router bgp 65260
 bgp log-neighbor-changes
 neighbor 172.******* remote-as 17974
 !
 address-family ipv4
  network 10.******* mask 255.255.240.0
  network 172.******* mask 255.255.255.224
  network 172.******* mask 255.255.255.252
  network 192.******* mask 255.255.255.255
  redistribute connected
  neighbor 172.******* activate
  neighbor 172.******* soft-reconfiguration inbound
 exit-address-family
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
ip flow-export source GigabitEthernet0/0
ip flow-export version 9
ip flow-export destination 10.10.4.251 9991
!
ip route 0.0.0.0 0.0.0.0 172.*******
ip route 170.******* 255.255.255.252 10.******* name wan_icon
ip route 170.******* 255.255.255.252 10.******* name wan_icon
!
ip access-list extended icon
 permit ip 10.******* 0.0.15.255 any
ip access-list extended telkom
 permit ip 10.******* 0.0.15.255 10.21.0.0 0.0.255.255
 permit ip 10.******* 0.0.15.255 host 10.*******
 permit ip 10.*******0 0.0.15.255 10.******* 0.0.0.255
 permit ip 10.******* 0.0.15.255 10.******* 0.0.0.255
!
!
ip prefix-list advertised seq 101 permit 10.*******/20
ip prefix-list advertised seq 102 permit 172.*******/27
ip prefix-list advertised seq 103 permit 192.*******/32
ip prefix-list advertised seq 104 permit 172.*******/30
ip prefix-list advertised seq 200 deny 0.0.0.0/0 le 32
ip sla auto discovery
ip sla 1
 icmp-echo 172.******* source-ip 172.*******
ip sla schedule 1 life forever start-time now
ip sla 2
 icmp-echo 170.******* source-ip 10.*******
ip sla schedule 2 life forever start-time now
access-list 100 permit ip 10.******* 0.0.15.255 host 10.*******
access-list 100 permit ip host 10.******* 10.******* 0.0.15.255
!
route-map telkom permit 10
 match ip address telkom
 set ip next-hop verify-availability 172.******* 1 track 2
 set ip next-hop verify-availability 10.******* 2 track 3
!
route-map telkom permit 20
 match ip address icon
 set ip next-hop verify-availability 10.******* 1 track 3
 set ip next-hop verify-availability 172.******* 2 track 2
!
!
snmp-server community hubert RO
snmp-server enable traps tty
snmp-server enable traps entity-sensor threshold
!
control-plane
!
!
privilege exec level 7 traceroute ip
privilege exec level 7 traceroute
privilege exec level 7 ping ip
privilege exec level 7 ping
privilege exec level 7 clear ip accounting
privilege exec level 7 clear ip
privilege exec level 7 clear
!         
line con 0
 login local
line aux 0
 login local
line 2
 no activation-character
 no exec
 transport preferred none
 transport input all
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
line vty 5 15
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler allocate 20000 1000
!
end     

its works from LAN but not works from WAN, here's my sh run,

PC -> router -> WAN -> *router -> lan -> PC

*the router that i can't access via ssh

Is this LAB or real deployment ?

Since you confirmed LAN side working SSH, i do not see any issue around SSH config here for now.

what IP address from PC (left side) try to SSH? (outside IP address ?)

Do you see on the PC connected Router (have not ACL for SSH ?) is the traffic for SSH leaving the Router,

worth enable debug on both Routers to understand the issue. (and initiate the connection and post the debug Logs ?)

I want to be sure that my understanding of this situation is correct. The PC on left in the diagram is the source of telnet and ssh. telnet or ssh from that PC goes through a router and over a WAN to reach the router which is the destination for telnet and ssh. From the left PC telnet to the router is successful but ssh from the left PC to the router fails. ssh from the lan on the right is successful. The PC on the left is able to ssh to other devices. If any of this is not correct please clarify.

I see these points:

- ssh from the local lan works and this shows that ssh is correctly set up on the router.

- telnet from the PC on the left works and that demonstrates that routing and IP connectivity are correct and working.

- the running config shows that there is no access list on the outside interface and no access class on the vty so there is no security policy on the router that would impact ssh.

- the class map treats telnet and ssh the same so it would have no impact on ssh.

- the running config does restrict ssh to version 2. I have suggested the possibility that the PC attempting ssh might be using version 1. This should be investigated.

- every thing that we see looks like ssh should work. But ssh does not work. So there must be something that we do not see that is impacting ssh.

I suggest these steps for investigating the issue:

- change logging buffered from level warning to level debug.

- attempt ssh from the PC on the left.

- post all debug output.

If the issue is that the PC is using ssh version 1 the debug output should show this. I am guessing that there might be no debug output. This would indicate that the ssh request did not get to the router and that the issue is that something along the path (perhaps the router on the left or something in the WAN) is dropping the ssh.

srry i forgot to mention that my router cant accessed via ssh from WAN, but it's works if i ssh from LAN, i posted the sh run above